Edit tour

Windows Analysis Report
PDFonlineseguro.exe

Overview

General Information

Sample name:	PDFonlineseguro.exe
Analysis ID:	1587432
MD5:	fddcc6db43b7aea103c315249bc12bbe
SHA1:	97f3ce1e1008deef73aed1d4f58bf184146ad243
SHA256:	bf836b14f236cce4cecd3b261b4e9b3f2f159ac9661cc2bf351e3533a7e8e5eb
Tags:	exeuser-zhuzhu0009
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Yara detected AntiVM3

AI detected suspicious sample

Allocates memory in foreign processes

Drops PE files to the document folder of the user

Drops large PE files

Injects a PE file into a foreign processes

May modify the system service descriptor table (often done to hook functions)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to query CPU information (cpuid)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

PDFonlineseguro.exe (PID: 6328 cmdline: "C:\Users\user\Desktop\PDFonlineseguro.exe" MD5: FDDCC6DB43B7AEA103C315249BC12BBE)

csc.exe (PID: 1912 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.2514402981.0000000007FD3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.2513804925.0000000006B60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.2513943972.0000000006E31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: csc.exe PID: 1912	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: csc.exe PID: 1912	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.csc.exe.8059828.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
9.2.csc.exe.6b60000.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Documents\NordVPNnetworkTAP\Lang\RemotePCPrinter.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PDFonlineseguro.exe, ProcessId: 6328, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NordicVPN

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Unpacked PE file: 0.2.PDFonlineseguro.exe.400000.0.unpack

Source: PDFonlineseguro.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: D:\ActiveClean\src\user\TMCOMMENG\Release\tmcomeng.pdbPMZ source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr
Source:	Binary string: D:\ActiveClean\src\user\tmavsetup\Release\TmEngDrv.pdbP source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr
Source:	Binary string: D:\ActiveClean\src\user\RootkitScanner\Release\RootkitBuster.pdb source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr
Source:	Binary string: D:\ActiveClean\src\user\tmavsetup\Release\TmEngDrv.pdb source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr
Source:	Binary string: D:\ActiveClean\src\user\TMCOMMENG\Release\tmcomeng.pdb source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000009.00000002.2513867627.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000083EB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000082B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: csc.exe, 00000009.00000002.2513867627.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000083EB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000082B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\activeclean\src\sys\output\fre_wxp_x86\i386\tmcomm.pdb source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr

Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00406A80 FindFirstFileW,FindClose,		0_2_00406A80
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00405570 SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,GetLastError,GetLastError,GetLastError,FindClose,		0_2_00405570

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Code function: 4x nop then push esi

0_2_0040A4B0

Source: global traffic

TCP traffic: 192.168.2.7:49799 -> 181.71.216.203:30203

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: newstaticfreepoint24.ddns-ip.net

Source: csc.exe, 00000009.00000002.2513943972.000000000708A000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000009.00000002.2513943972.0000000006E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: csc.exe, 00000009.00000002.2513867627.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000083EB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000082B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: csc.exe, 00000009.00000002.2513867627.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000083EB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000082B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: csc.exe, 00000009.00000002.2513867627.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000083EB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000082B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: csc.exe, 00000009.00000002.2513867627.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000083EB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000082B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: csc.exe, 00000009.00000002.2513867627.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000083EB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000082B1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000009.00000002.2513943972.0000000006E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: csc.exe, 00000009.00000002.2513867627.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000083EB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000082B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

File dump: RemotePCPrinter.exe.0.dr 959667331

Jump to dropped file

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Code function: 0_2_00407070 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

0_2_00407070

Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412EE7	0_2_00412EE7
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041C054	0_2_0041C054
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041C00B	0_2_0041C00B
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041303C	0_2_0041303C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041A0DC	0_2_0041A0DC
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_004120B2	0_2_004120B2
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_004260B6	0_2_004260B6
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041694D	0_2_0041694D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412905	0_2_00412905
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041290D	0_2_0041290D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041B9DC	0_2_0041B9DC
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041A1E4	0_2_0041A1E4
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_004159F1	0_2_004159F1
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041AA4B	0_2_0041AA4B
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041425D	0_2_0041425D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041C26C	0_2_0041C26C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00414A08	0_2_00414A08
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412A0D	0_2_00412A0D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412A36	0_2_00412A36
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412AE3	0_2_00412AE3
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412AB5	0_2_00412AB5
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00416B48	0_2_00416B48
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412B56	0_2_00412B56
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00416B5B	0_2_00416B5B
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00416B0B	0_2_00416B0B
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041B314	0_2_0041B314
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041E316	0_2_0041E316
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412B27	0_2_00412B27
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00416B35	0_2_00416B35
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00426B34	0_2_00426B34
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_004133D4	0_2_004133D4
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412BBC	0_2_00412BBC
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412C5E	0_2_00412C5E
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00415C77	0_2_00415C77
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412CD6	0_2_00412CD6
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00415CDC	0_2_00415CDC
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_004144E2	0_2_004144E2
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_004134E5	0_2_004134E5
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00413489	0_2_00413489
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041E492	0_2_0041E492
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00415D41	0_2_00415D41
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412D4D	0_2_00412D4D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041B54D	0_2_0041B54D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00415D53	0_2_00415D53
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412563	0_2_00412563
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041AD6D	0_2_0041AD6D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00415D32	0_2_00415D32
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00425DCF	0_2_00425DCF
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412D96	0_2_00412D96
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00413D9B	0_2_00413D9B
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00419E63	0_2_00419E63
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00419E6E	0_2_00419E6E
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412E00	0_2_00412E00
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041BE24	0_2_0041BE24
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00413629	0_2_00413629
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_004136A8	0_2_004136A8
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00419F47	0_2_00419F47
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412F5B	0_2_00412F5B
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412F68	0_2_00412F68
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00420F6C	0_2_00420F6C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412F2D	0_2_00412F2D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041BFF9	0_2_0041BFF9
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_008FCA85	0_2_008FCA85
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00908DD9	0_2_00908DD9
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0090F0D5	0_2_0090F0D5
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0090C044	0_2_0090C044
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0090984B	0_2_0090984B
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00909992	0_2_00909992
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_008F596E	0_2_008F596E
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_008F726C	0_2_008F726C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0090C331	0_2_0090C331
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_008F232A	0_2_008F232A
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_008F8B47	0_2_008F8B47
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00908B58	0_2_00908B58
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_008F736F	0_2_008F736F
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_008F2409	0_2_008F2409
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_008FC42C	0_2_008FC42C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0090E423	0_2_0090E423
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0090A444	0_2_0090A444
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_008F6465	0_2_008F6465
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0090EC7B	0_2_0090EC7B
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0090959F	0_2_0090959F
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_008F6D9D	0_2_008F6D9D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0090ADCA	0_2_0090ADCA
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_008F6D03	0_2_008F6D03
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00908D06	0_2_00908D06
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_008F6D28	0_2_008F6D28
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_008FB522	0_2_008FB522
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0090C521	0_2_0090C521
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_008F6D66	0_2_008F6D66
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0090C63A	0_2_0090C63A
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_008FCFD7	0_2_008FCFD7
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00909F4D	0_2_00909F4D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092E012	0_2_0092E012
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0093341D	0_2_0093341D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092C45E	0_2_0092C45E
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092D0BE	0_2_0092D0BE
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092F0A4	0_2_0092F0A4
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092D8AE	0_2_0092D8AE
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_009320F1	0_2_009320F1
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_009330F4	0_2_009330F4
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_009330E0	0_2_009330E0
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_009200EA	0_2_009200EA
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092001F	0_2_0092001F
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092002C	0_2_0092002C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092E05B	0_2_0092E05B
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092E044	0_2_0092E044
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0093407E	0_2_0093407E
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092D1B4	0_2_0092D1B4
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_009341AB	0_2_009341AB
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092D1AB	0_2_0092D1AB
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_009249D9	0_2_009249D9
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_009349C8	0_2_009349C8
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_009341F2	0_2_009341F2
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092E9FA	0_2_0092E9FA
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_009249FD	0_2_009249FD
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_009321E8	0_2_009321E8
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092E131	0_2_0092E131
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0093413A	0_2_0093413A
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092D921	0_2_0092D921
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092D129	0_2_0092D129
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092E150	0_2_0092E150
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092D158	0_2_0092D158
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092494C	0_2_0092494C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092D173	0_2_0092D173
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092496A	0_2_0092496A
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092D96C	0_2_0092D96C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00932292	0_2_00932292
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_009342A4	0_2_009342A4
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092DAD7	0_2_0092DAD7
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_009322F6	0_2_009322F6
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00924A37	0_2_00924A37
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092DA34	0_2_0092DA34
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092925E	0_2_0092925E
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0093224C	0_2_0093224C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092DA71	0_2_0092DA71
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092DA7B	0_2_0092DA7B
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00924B83	0_2_00924B83
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092D38C	0_2_0092D38C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_009243B0	0_2_009243B0
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00933BA3	0_2_00933BA3
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00933BD9	0_2_00933BD9
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_009273CB	0_2_009273CB
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092DBCC	0_2_0092DBCC
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092FBE5	0_2_0092FBE5
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00931316	0_2_00931316
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00934308	0_2_00934308
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092D30C	0_2_0092D30C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092D333	0_2_0092D333
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00931355	0_2_00931355
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00931345	0_2_00931345
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092DB4D	0_2_0092DB4D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00934372	0_2_00934372
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00931B75	0_2_00931B75
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00934B7B	0_2_00934B7B
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092DB66	0_2_0092DB66
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0093336D	0_2_0093336D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00934B6C	0_2_00934B6C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00924C96	0_2_00924C96
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00934C9A	0_2_00934C9A
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092DCD2	0_2_0092DCD2
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092E4F3	0_2_0092E4F3
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00934CF1	0_2_00934CF1
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00934CFE	0_2_00934CFE
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00934CE9	0_2_00934CE9
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092D40E	0_2_0092D40E
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00933C2A	0_2_00933C2A
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00934C53	0_2_00934C53
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092D456	0_2_0092D456
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00934C71	0_2_00934C71
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00933D80	0_2_00933D80
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092D586	0_2_0092D586
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00934DA7	0_2_00934DA7
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092CDAD	0_2_0092CDAD
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092DDC7	0_2_0092DDC7
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00934DC6	0_2_00934DC6
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092EDFE	0_2_0092EDFE
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00934DE3	0_2_00934DE3
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_009335E9	0_2_009335E9
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092D513	0_2_0092D513
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092D50C	0_2_0092D50C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092CD74	0_2_0092CD74
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092D564	0_2_0092D564
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00934D6A	0_2_00934D6A
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00932697	0_2_00932697
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0093369D	0_2_0093369D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00933E83	0_2_00933E83
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00934E8D	0_2_00934E8D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092DEDA	0_2_0092DEDA
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_009336F4	0_2_009336F4
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092D6FF	0_2_0092D6FF
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092DE02	0_2_0092DE02
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092CE03	0_2_0092CE03
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00933E00	0_2_00933E00
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092DE07	0_2_0092DE07
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092FE3E	0_2_0092FE3E
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092CE53	0_2_0092CE53
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0093365A	0_2_0093365A
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00928E58	0_2_00928E58
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092DE76	0_2_0092DE76
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0093367E	0_2_0093367E
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092767D	0_2_0092767D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00933E7C	0_2_00933E7C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_009337A1	0_2_009337A1
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092D7D4	0_2_0092D7D4
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00932714	0_2_00932714
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00934739	0_2_00934739
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00932738	0_2_00932738
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092DF2D	0_2_0092DF2D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0092E752	0_2_0092E752
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0093476E	0_2_0093476E
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0093376C	0_2_0093376C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_050F3028	9_2_050F3028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_050F3038	9_2_050F3038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_06A44650	9_2_06A44650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_06A4C180	9_2_06A4C180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_06A44D68	9_2_06A44D68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_06A44640	9_2_06A44640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_06A44796	9_2_06A44796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_06A4C4A7	9_2_06A4C4A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_06A4D1B0	9_2_06A4D1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_06A43CF1	9_2_06A43CF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_06A43D00	9_2_06A43D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_094DDDD8	9_2_094DDDD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_094DC458	9_2_094DC458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_094DDDC9	9_2_094DDDC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_096A1160	9_2_096A1160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_096A0548	9_2_096A0548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_096A5D90	9_2_096A5D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_096A2EF8	9_2_096A2EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_096A6145	9_2_096A6145
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_096A0890	9_2_096A0890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_096A2EE9	9_2_096A2EE9

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Code function: String function: 0041E430 appears 66 times

Source: PDFonlineseguro.exe	Static PE information: Resource name: DRIVER type: PE32 executable (native) Intel 80386, for MS Windows
Source: PDFonlineseguro.exe	Static PE information: Resource name: TMCOMMDLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: PDFonlineseguro.exe	Static PE information: Resource name: TMENGDRV type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: PDFonlineseguro.exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: RemotePCPrinter.exe.0.dr	Static PE information: Resource name: DRIVER type: PE32 executable (native) Intel 80386, for MS Windows
Source: RemotePCPrinter.exe.0.dr	Static PE information: Resource name: TMCOMMDLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: RemotePCPrinter.exe.0.dr	Static PE information: Resource name: TMENGDRV type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: RemotePCPrinter.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: PDFonlineseguro.exe	Binary or memory string: %sOriginalFileName vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe, 00000000.00000000.1248008280.000000000045C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTmComm.sysN vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe, 00000000.00000002.1522101624.0000000002A89000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRootkitBuster.exeN vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe, 00000000.00000000.1248008280.000000000055E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRootkitBuster.exeN vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe, 00000000.00000000.1248008280.000000000049F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenametmcomeng.dllN vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe, 00000000.00000002.1522101624.0000000002930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: %sOriginalFileName vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe, 00000000.00000002.1522101624.0000000002930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OD.H%sSpecialBuild%sPrivateBuild%sLegalTrademarks%sComments%sProductVersion%sProductName%sOriginalFileName%sLegalCopyright%sInternalName%sFileVersion%sFileDescription%sCompanyName\StringFileInfo\%04X%04X\\VarFileInfo\Translation\Leaving destruct CSICReportLogger objectD:\ActiveClean\src\user\RootkitScanner\source\SICReportLogger.cppCSICReportLogger::~CSICReportLogger()Entering destruct CSICReportLogger objectLog File Handle not Initialized.CSIC::LogString()No memory space can be allocated.CSIC::LogSingleString()leaving Initialize CSIC scan object ret=%d%s%s\%s\%sSICLOGCSICReportLogger::Initialize()Entering Initialize CSICReportLogger objectCSICReportLogger::LogBytes()CSICReportLogger::_CloseLogFileCloseLogFile\%%s%%.%dd.%%sCan't find next file, ErrNo=%d%s*.%sTXTCSICReportLogger::RotateFileName()X86PROCESSOR_ARCHITEW6432PROCESSOR_ARCHITECTUREAfter uninstall driver=%dD:\ActiveClean\src\user\RootkitScanner\source\TMRKScanWin.cpp(Needn't waiting)bStopped=%dWinAppDestructor()(After waiting)bStopped=%d+----------------------------------------------------+ vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe, 00000000.00000002.1522101624.0000000002984000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTmComm.sysN vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe, 00000000.00000000.1247954319.000000000044E000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: %sOriginalFileName vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe, 00000000.00000000.1247954319.000000000044E000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OD.H%sSpecialBuild%sPrivateBuild%sLegalTrademarks%sComments%sProductVersion%sProductName%sOriginalFileName%sLegalCopyright%sInternalName%sFileVersion%sFileDescription%sCompanyName\StringFileInfo\%04X%04X\\VarFileInfo\Translation\Leaving destruct CSICReportLogger objectD:\ActiveClean\src\user\RootkitScanner\source\SICReportLogger.cppCSICReportLogger::~CSICReportLogger()Entering destruct CSICReportLogger objectLog File Handle not Initialized.CSIC::LogString()No memory space can be allocated.CSIC::LogSingleString()leaving Initialize CSIC scan object ret=%d%s%s\%s\%sSICLOGCSICReportLogger::Initialize()Entering Initialize CSICReportLogger objectCSICReportLogger::LogBytes()CSICReportLogger::_CloseLogFileCloseLogFile\%%s%%.%dd.%%sCan't find next file, ErrNo=%d%s*.%sTXTCSICReportLogger::RotateFileName()X86PROCESSOR_ARCHITEW6432PROCESSOR_ARCHITECTUREAfter uninstall driver=%dD:\ActiveClean\src\user\RootkitScanner\source\TMRKScanWin.cpp(Needn't waiting)bStopped=%dWinAppDestructor()(After waiting)bStopped=%d+----------------------------------------------------+ vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe	Binary or memory string: %sOriginalFileName vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe	Binary or memory string: OD.H%sSpecialBuild%sPrivateBuild%sLegalTrademarks%sComments%sProductVersion%sProductName%sOriginalFileName%sLegalCopyright%sInternalName%sFileVersion%sFileDescription%sCompanyName\StringFileInfo\%04X%04X\\VarFileInfo\Translation\Leaving destruct CSICReportLogger objectD:\ActiveClean\src\user\RootkitScanner\source\SICReportLogger.cppCSICReportLogger::~CSICReportLogger()Entering destruct CSICReportLogger objectLog File Handle not Initialized.CSIC::LogString()No memory space can be allocated.CSIC::LogSingleString()leaving Initialize CSIC scan object ret=%d%s%s\%s\%sSICLOGCSICReportLogger::Initialize()Entering Initialize CSICReportLogger objectCSICReportLogger::LogBytes()CSICReportLogger::_CloseLogFileCloseLogFile\%%s%%.%dd.%%sCan't find next file, ErrNo=%d%s*.%sTXTCSICReportLogger::RotateFileName()X86PROCESSOR_ARCHITEW6432PROCESSOR_ARCHITECTUREAfter uninstall driver=%dD:\ActiveClean\src\user\RootkitScanner\source\TMRKScanWin.cpp(Needn't waiting)bStopped=%dWinAppDestructor()(After waiting)bStopped=%d+----------------------------------------------------+ vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe	Binary or memory string: OriginalFilenameTmComm.sysN vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe	Binary or memory string: OriginalFilenametmcomeng.dllN vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe	Binary or memory string: OriginalFilenameTmEngDrv.dllN vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe	Binary or memory string: OriginalFilenameRootkitBuster.exeN vs PDFonlineseguro.exe

Source: PDFonlineseguro.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: RemotePCPrinter.exe.0.dr	Binary string: \Device\LanmanRedirector\
Source: RemotePCPrinter.exe.0.dr	Binary string: \\\Device\Harddisk
Source: RemotePCPrinter.exe.0.dr	Binary string: \SystemRoot\TmComm.log\Device\TmComm>>> CFG-GetSDTProc(%d, %s)=%p
Source: RemotePCPrinter.exe.0.dr	Binary string: Utility\??\\??\UNC\\Device\HarddiskIoValidateDeviceIoControlAccessIoCreateDeviceSecureD:P
Source: RemotePCPrinter.exe.0.dr	Binary string: \Device\LanmanRedirector\;
Source: RemotePCPrinter.exe.0.dr	Binary string: \??\\??\UNC\\\?\\??\\Registry\Machine\\Registry\User\\Registry\Machine\Software\Classes\\Registry\Machine\System\CurrentControlSet\Hardware Profiles\Current\.*\Device\LanmanRedirector\;\Device\LanmanRedirector\\??\UNC\\SystemRoot\\??\\Device\LanmanRedirector\;\Device\LanmanRedirector\\??\UNC\\SystemRoot\\??\
Source: RemotePCPrinter.exe.0.dr	Binary string: aD\\\Device\Harddisk

Source: classification engine

Classification label: mal92.evad.winEXE@3/1@1/1

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Code function: 0_2_00407070 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

0_2_00407070

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Code function: 0_2_004068B0 FindResourceW,LoadResource,SizeofResource,CreateFileW,WriteFile,CloseHandle,

0_2_004068B0

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

File created: C:\Users\user\Documents\NordVPNnetworkTAP

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: \Sessions\1\BaseNamedObjects\mono1234

Source: PDFonlineseguro.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PDFonlineseguro.exe

String found in binary or memory: >>> CFG-AddEP(%03x, %03x)=%#x

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

File read: C:\Users\user\Desktop\PDFonlineseguro.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PDFonlineseguro.exe "C:\Users\user\Desktop\PDFonlineseguro.exe"
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Section loaded: a.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PDFonlineseguro.exe

Static file information: File size 2334801 > 1048576

Source: PDFonlineseguro.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1e3000

Source: PDFonlineseguro.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\ActiveClean\src\user\TMCOMMENG\Release\tmcomeng.pdbPMZ source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr
Source:	Binary string: D:\ActiveClean\src\user\tmavsetup\Release\TmEngDrv.pdbP source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr
Source:	Binary string: D:\ActiveClean\src\user\RootkitScanner\Release\RootkitBuster.pdb source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr
Source:	Binary string: D:\ActiveClean\src\user\tmavsetup\Release\TmEngDrv.pdb source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr
Source:	Binary string: D:\ActiveClean\src\user\TMCOMMENG\Release\tmcomeng.pdb source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000009.00000002.2513867627.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000083EB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000082B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: csc.exe, 00000009.00000002.2513867627.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000083EB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000082B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\activeclean\src\sys\output\fre_wxp_x86\i386\tmcomm.pdb source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Unpacked PE file: 0.2.PDFonlineseguro.exe.400000.0.unpack

Yara detected Costura Assembly Loader

Source: Yara match	File source: 9.2.csc.exe.8059828.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.csc.exe.6b60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2514402981.0000000007FD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2513804925.0000000006B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2513943972.0000000006E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: csc.exe PID: 1912, type: MEMORYSTR

Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"			Jump to behavior

Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0040DC10 push eax; ret	0_2_0040DC3E
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0040F688 push eax; ret	0_2_0040F6A6
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00921630 push edi; retf 0000h	0_2_00921635
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_050F71F4 push es; ret	9_2_050F71F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_050F6991 pushad ; retf	9_2_050F699D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_06A426E3 push es; ret	9_2_06A426E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_06A4256B push es; retf	9_2_06A4256C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_06A4254D push es; ret	9_2_06A4255C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_06A4255F push es; ret	9_2_06A42560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_06A48331 pushfd ; ret	9_2_06A48337
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_06A48A2B push es; retf	9_2_06A48A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_094DB7D0 pushad ; iretd	9_2_094DB7D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_096A3583 push edx; iretd	9_2_096A358A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_0970511E pushad ; retf	9_2_09705120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_09703D0F push ebx; ret	9_2_09703D15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_0970607B push eax; retf	9_2_0970607C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_09708082 pushfd ; retf	9_2_09708083

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

File created: C:\Users\user\Documents\NordVPNnetworkTAP\Lang\RemotePCPrinter.exe

Jump to dropped file

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

File created: C:\Users\user\Documents\NordVPNnetworkTAP\Lang\RemotePCPrinter.exe

Jump to dropped file

Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NordicVPN			Jump to behavior
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NordicVPN			Jump to behavior

Hooking and other Techniques for Hiding and Protection

May modify the system service descriptor table (often done to hook functions)

Source: PDFonlineseguro.exe, 00000000.00000000.1248008280.000000000045C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: KeServiceDescriptorTable
Source: PDFonlineseguro.exe, 00000000.00000002.1522101624.0000000002984000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: KeServiceDescriptorTable
Source: PDFonlineseguro.exe	Binary or memory string: KeServiceDescriptorTable
Source: RemotePCPrinter.exe.0.dr	Binary or memory string: KeServiceDescriptorTable

Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_004080C0 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		0_2_004080C0
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0040CB46 IsIconic,GetWindowPlacement,GetWindowRect,		0_2_0040CB46

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Code function: 0_2_00401970 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetModuleFileNameW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

0_2_00401970

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: csc.exe PID: 1912, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 4DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 6E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 68E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Window / User API: threadDelayed 3569			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Window / User API: threadDelayed 6269			Jump to behavior

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Dropped PE file which has not been started: C:\Users\user\Documents\NordVPNnetworkTAP\Lang\RemotePCPrinter.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1504	Thread sleep count: 3569 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -59875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1504	Thread sleep count: 6269 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -59765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -59656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -59547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -59437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -59328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -59219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -59094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -58984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -58875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -58766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -58655s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -58547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -58437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -58325s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -58218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -58087s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -57648s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -57531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -57419s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -57307s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -57203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -57094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -56984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -56875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -56766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -56648s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -56531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -56418s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -56312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -56201s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -56094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -55969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -55859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -55750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -55603s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -55438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -55016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -54906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -54797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -54688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -54578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -54469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -54344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -54233s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -54124s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -54014s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -53906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -53797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -53688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1272	Thread sleep time: -53563s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00406A80 FindFirstFileW,FindClose,		0_2_00406A80
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00405570 SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,GetLastError,GetLastError,GetLastError,FindClose,		0_2_00405570

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58325	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58087	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57648	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57419	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57307	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 56984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 56875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 56766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 56648	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 56531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 56418	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 56312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 56201	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 56094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 55969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 55859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 55750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 55603	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 55438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 55016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 54906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 54797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 54688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 54578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 54469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 54344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 54233	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 54124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 54014	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 53906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 53797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 53688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 53563	Jump to behavior

Source: csc.exe, 00000009.00000002.2512923956.0000000004ED3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 440000 protect: page readonly

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 440000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 440000			Jump to behavior
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 49DF008			Jump to behavior

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Code function: 0_2_00918675 cpuid

0_2_00918675

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Code function: 0_2_0040F112 GetLocalTime,GetSystemTime,GetTimeZoneInformation,SendMessageW,FindWindowExW,

0_2_0040F112

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Code function: 0_2_0040F112 GetLocalTime,GetSystemTime,GetTimeZoneInformation,SendMessageW,FindWindowExW,

0_2_0040F112

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Code function: 0_2_004058C0 GetVersionExA,

0_2_004058C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: csc.exe, 00000009.00000002.2515510450.0000000009730000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgramFiles%\Windows Defender\MsMpeng.exe
Source: csc.exe, 00000009.00000003.1501378645.000000000974E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Masquerading	1 Credential API Hooking	2 System Time Discovery	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	31 Process Injection	11 Disable or Modify Tools	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	141 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	141 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	31 Process Injection	LSA Secrets	11 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	135 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	IP	Active	Malicious	Antivirus Detection	Reputation
newstaticfreepoint24.ddns-ip.net	181.71.216.203	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://github.com/mgravell/protobuf-net	csc.exe, 00000009.00000002.2513867627.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000083EB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000082B1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-neti	csc.exe, 00000009.00000002.2513867627.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000083EB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000082B1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	csc.exe, 00000009.00000002.2513867627.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000083EB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000082B1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000009.00000002.2513943972.0000000006E31000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	csc.exe, 00000009.00000002.2513867627.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000083EB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000082B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	csc.exe, 00000009.00000002.2513943972.000000000708A000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000009.00000002.2513943972.0000000006E31000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	csc.exe, 00000009.00000002.2513867627.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000083EB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000082B1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	csc.exe, 00000009.00000002.2513867627.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000083EB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000009.00000003.1718188086.00000000082B1000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
181.71.216.203	newstaticfreepoint24.ddns-ip.net	Colombia		27831	ColombiaMovilCO	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587432
Start date and time:	2025-01-10 11:32:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PDFonlineseguro.exe
Detection:	MAL
Classification:	mal92.evad.winEXE@3/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 87% Number of executed functions: 343 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56, 4.175.87.197
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:53:37	API Interceptor	1208638x Sleep call for process: csc.exe modified
12:53:36	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NordicVPN C:\Users\user\Documents\NordVPNnetworkTAP\Lang\RemotePCPrinter.exe
12:53:44	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NordicVPN C:\Users\user\Documents\NordVPNnetworkTAP\Lang\RemotePCPrinter.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
181.71.216.203	2LDJIyMl2r.exe	Get hash	malicious	Remcos	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
newstaticfreepoint24.ddns-ip.net	2LDJIyMl2r.exe	Get hash	malicious	Remcos	Browse	181.71.216.203
	SHROsQyiAd.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	4JwhvqLe8n.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	fIPSLgT0lO.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	3XSXmrEOw7.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	ozfqy8Ms6t.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	pPLwX9wSrD.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	hCJ8gK9kNn.exe	Get hash	malicious	Remcos	Browse	181.131.217.244

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ColombiaMovilCO	1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe	Get hash	malicious	Remcos	Browse	179.15.136.6
	6.elf	Get hash	malicious	Unknown	Browse	181.70.170.80
	173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe	Get hash	malicious	Remcos	Browse	179.15.136.6
	1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exe	Get hash	malicious	Remcos	Browse	179.15.136.6
	17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe	Get hash	malicious	Remcos	Browse	179.15.136.6
	1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe	Get hash	malicious	Remcos	Browse	179.15.136.6
	1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe	Get hash	malicious	Remcos	Browse	179.15.136.6
	17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe	Get hash	malicious	Remcos	Browse	179.15.136.6
	sh4.elf	Get hash	malicious	Mirai	Browse	177.252.126.19
	armv5l.elf	Get hash	malicious	Unknown	Browse	191.93.155.250

Process:	C:\Users\user\Desktop\PDFonlineseguro.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	959667331
Entropy (8bit):	0.0378714111132915
Encrypted:	false
SSDEEP:
MD5:	0F5B1010F65FF84026DBB1599DC4C446
SHA1:	A93AD805CEF6121875AA671B8CB88556E8E41352
SHA-256:	ACBA3E7ADBCB4696364B3B2CF2DE8970A9C11F0A2F0D2B2059738EC7B13AB8BC
SHA-512:	E804413DC05443C564E50806B3FA746BCFA4120D9F081789B820F9AB5F20A5B243386B149C574729661FFDAD71A1A47236FF8FC654298DA5F644B8701DA32C65
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@..@..@..@..@...L..@......@..A.q.@......@...K..@...N..@...J.5.@...K..@..K..@.X.F..@.Rich..@..H.$..PE..L......E..........................................@...........................#.........................................................x-...........................................................................................................text...~........................... ..`.rdata..............................@..@.data...H...........................@....rsrc...x-.......0...p..............@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.181190846088643
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PDFonlineseguro.exe
File size:	2'334'801 bytes
MD5:	fddcc6db43b7aea103c315249bc12bbe
SHA1:	97f3ce1e1008deef73aed1d4f58bf184146ad243
SHA256:	bf836b14f236cce4cecd3b261b4e9b3f2f159ac9661cc2bf351e3533a7e8e5eb
SHA512:	601ae10269e94df22227976154ee72019142e32592edbba49971052c3e717dd52b966631b2a6f474b92eee8fa0a188d8d46d0cb29f5b9eb69854f403cdcfd3fc
SSDEEP:	24576:NUXOTB5dYdJ28+BaykZ+1XGRSK3FrTOX5F13db67IXgd2nB3TM1J2dv5iGoTEtQG:OaER4DXGJ1T+v1340Xf38GLC8e4
TLSH:	B3B5BF20A2859997F69274B4123FE5F7E22127309E11C487F3C59F2EB875DD0983AB87
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............@...@...@...@...@...L...@.......@...A.q.@.......@...K...@...N...@...J.5.@...K...@...K...@.X.F...@.Rich..@....H.$..PE..L..

File Icon


Icon Hash:	03032725047cfe60

Static PE Info

General

Entrypoint:	0x40d5c0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x45BF13D2 [Tue Jan 30 09:45:54 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5fb09959021d8f9c65e9a957b247adac

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00444FB0h
push 004114D0h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [004413C8h]
xor edx, edx
mov dl, ah
mov dword ptr [00459274h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [00459270h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0045926Ch], ecx
shr eax, 10h
mov dword ptr [00459268h], eax
push 00000001h
call 00007F46E062C8F9h
pop ecx
test eax, eax
jne 00007F46E0628B5Ah
push 0000001Ch
call 00007F46E0628C17h
pop ecx
call 00007F46E062C5DAh
test eax, eax
jne 00007F46E0628B5Ah
push 00000010h
call 00007F46E0628C06h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F46E062C3B4h
call 00007F46E062C30Eh
mov dword ptr [0045AD14h], eax
call 00007F46E062C197h
mov dword ptr [0045925Ch], eax
call 00007F46E062BF64h
call 00007F46E062BEA7h
call 00007F46E0629BBCh
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0044120Ch]
call 00007F46E062BE4Bh
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F46E0628B58h
movzx eax, word ptr [ebp-2Ch]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4b498	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5c000	0x1e2d78	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x417e0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x41000	0x7dc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3fa7e	0x40000	ce4e2154cbe4e7156492dc1cc0f693ce	False	0.5431098937988281	data	6.484004415784614	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x41000	0xceba	0xd000	19619226e29a06fa4d01a78b7906fd9e	False	0.4609375	data	5.733152244637936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4e000	0xd848	0x9000	00473552ce4b9e86c7a55926c18dc927	False	0.2333441840277778	data	3.330419442779499	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5c000	0x1e2d78	0x1e3000	c02073652d12fcfb1dd9e62784ad4fe1	False	0.628267845011646	data	7.322211817710192	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
CATALOG	0x5cbac	0x2974	data	English	United States	0.534206558612891
DRIVER	0x5f520	0x19190	PE32 executable (native) Intel 80386, for MS Windows	Chinese	Taiwan	0.47299610894941635
INFINSTALL	0x786b0	0x996	Windows setup INFormation	English	United States	0.40179299103504484
TMCOMMDLL	0x79048	0x2b047	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	Chinese	Taiwan	0.42348140454826644
TMENGDRV	0xa4090	0x1b047	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	Chinese	Taiwan	0.4508824087545069
RT_CURSOR	0xbf0d8	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4805194805194805
RT_CURSOR	0xbf20c	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	English	United States	0.7
RT_BITMAP	0xbf2c0	0x55028	PC bitmap, Windows 3.x format, 44486 x 2 x 51, image size 348736, cbSize 348200, bits offset 54			0.9996209075244112
RT_BITMAP	0x1142e8	0x33b8c	PC bitmap, Windows 3.x format, 26784 x 2 x 54, image size 212356, cbSize 211852, bits offset 54			1.0001746502275173
RT_BITMAP	0x147e74	0x5b78	Device independent bitmap graphic, 507 x 44 x 8, image size 22352	Chinese	Taiwan	0.3262726340963444
RT_BITMAP	0x14d9ec	0x5e4	Device independent bitmap graphic, 70 x 39 x 4, image size 1404	English	United States	0.34615384615384615
RT_BITMAP	0x14dfd0	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	English	United States	0.44565217391304346
RT_BITMAP	0x14e088	0x16c	Device independent bitmap graphic, 39 x 13 x 4, image size 260	English	United States	0.28296703296703296
RT_BITMAP	0x14e1f4	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	English	United States	0.37962962962962965
RT_ICON	0x14e338	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584			0.37436413107772387
RT_ICON	0x15eb60	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.3590576287198866
RT_ICON	0x162d88	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.295701464336325
RT_ICON	0x166fb0	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3200	Chinese	Taiwan	0.5231481481481481
RT_DIALOG	0x167c58	0x4d6	data	English	United States	0.4701130856219709
RT_DIALOG	0x168130	0xe4	data	Chinese	Taiwan	0.6622807017543859
RT_DIALOG	0x168214	0xe8	data	English	United States	0.6336206896551724
RT_STRING	0x1682fc	0x71a	data	Chinese	Taiwan	0.323982398239824
RT_STRING	0x168a18	0x4e6	data	Chinese	Taiwan	0.38118022328548645
RT_STRING	0x168f00	0x2f6	data	Chinese	Taiwan	0.41688654353562005
RT_STRING	0x1691f8	0x9a4	data	Chinese	Taiwan	0.27836304700162073
RT_STRING	0x169b9c	0x82	StarOffice Gallery theme p, 536899072 objects, 1st n	English	United States	0.7153846153846154
RT_STRING	0x169c20	0x2a	data	English	United States	0.5476190476190477
RT_STRING	0x169c4c	0x14a	data	English	United States	0.5060606060606061
RT_STRING	0x169d98	0x4e2	data	English	United States	0.376
RT_STRING	0x16a27c	0x2a2	data	English	United States	0.28338278931750743
RT_STRING	0x16a520	0x2dc	data	English	United States	0.36885245901639346
RT_STRING	0x16a7fc	0xac	data	English	United States	0.45348837209302323
RT_STRING	0x16a8a8	0xde	data	English	United States	0.536036036036036
RT_STRING	0x16a988	0x4c4	data	English	United States	0.3221311475409836
RT_STRING	0x16ae4c	0x264	data	English	United States	0.3741830065359477
RT_STRING	0x16b0b0	0x2c	data	English	United States	0.5227272727272727
RT_RCDATA	0x16b0dc	0x1800	PE32+ executable (console) x86-64, for MS Windows			0.5719401041666666
RT_RCDATA	0x16c8dc	0x24780	data			0.7689053127677806
RT_RCDATA	0x19105c	0x4e550	Delphi compiled form 'TBaseFrame'			0.36960803869745174
RT_RCDATA	0x1df5ac	0x1cc3e	Delphi compiled form '\017TFanTasticFrame\016FanTasticFrame'			0.5127989679346812
RT_RCDATA	0x1fc1ec	0x136fe	Delphi compiled form '\016TfrmAutoTuning'			0.5060290903609918
RT_RCDATA	0x20f8ec	0x136fe	Delphi compiled form '\016TfrmAutoTuning'			0.6512548044313814
RT_RCDATA	0x222fec	0x1b681	Delphi compiled form 'TMsgBoxForm'			0.5580320158208397
RT_GROUP_CURSOR	0x23e670	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0
RT_GROUP_ICON	0x23e694	0x14	data	Chinese	Taiwan	1.15
RT_VERSION	0x23e6a8	0x458	data	English	United States	0.427158273381295
RT_MANIFEST	0x23eb00	0x277	XML 1.0 document, ASCII text, with CRLF line terminators	Chinese	Taiwan	0.5150554675118859

Imports

DLL	Import
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA
COMCTL32.dll	_TrackMouseEvent, ImageList_Destroy, ImageList_Create, ImageList_LoadImageW, ImageList_Merge, ImageList_Read, ImageList_Write
KERNEL32.dll	DuplicateHandle, FlushFileBuffers, LockFile, UnlockFile, SetEndOfFile, MoveFileW, GetVolumeInformationW, GetFullPathNameW, GetStringTypeExW, GetThreadLocale, GetShortPathNameW, GetFileTime, LocalFileTimeToFileTime, SystemTimeToFileTime, SetFileTime, SetFileAttributesW, FileTimeToLocalFileTime, GetStartupInfoW, ExitProcess, RtlUnwind, GetLocalTime, RaiseException, HeapFree, HeapAlloc, SetConsoleCtrlHandler, CreateThread, ExitThread, GetTimeZoneInformation, GetSystemTime, HeapReAlloc, HeapSize, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetEnvironmentStrings, GetCommandLineA, SetHandleCount, GetFileType, SetErrorMode, GetModuleFileNameA, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, FatalAppExitA, SetUnhandledExceptionFilter, VirtualAlloc, IsBadWritePtr, LCMapStringA, LCMapStringW, GetFileAttributesA, IsBadReadPtr, IsBadCodePtr, GetStringTypeA, GetStringTypeW, GetCPInfo, IsValidLocale, IsValidCodePage, GetLocaleInfoA, EnumSystemLocalesA, GetUserDefaultLCID, CompareStringA, CompareStringW, SetEnvironmentVariableW, GetExitCodeProcess, CreateProcessA, SetStdHandle, GetACP, GetOEMCP, SetEnvironmentVariableA, GetLocaleInfoW, GetCurrentProcessId, GetOverlappedResult, DeviceIoControl, CreateEventA, InterlockedExchange, QueryDosDeviceW, GetLogicalDriveStringsW, GetWindowsDirectoryW, QueryDosDeviceA, GetLogicalDriveStringsA, GetWindowsDirectoryA, OutputDebugStringW, CreateMailslotW, SleepEx, GetFullPathNameA, GetCurrentDirectoryA, FindResourceA, GlobalAddAtomA, GetProfileStringA, GlobalGetAtomNameW, WritePrivateProfileStringW, GetPrivateProfileStringW, GetPrivateProfileIntW, GetProcessVersion, TlsGetValue, LocalReAlloc, TlsSetValue, EnterCriticalSection, GlobalReAlloc, LeaveCriticalSection, TlsFree, GlobalHandle, DeleteCriticalSection, TlsAlloc, InitializeCriticalSection, LocalAlloc, GlobalFlags, lstrcmpiW, CreateEventW, SetThreadPriority, SetEvent, lstrcmpW, GlobalAlloc, lstrcmpA, lstrcmpiA, GetCurrentThread, lstrcpynW, MulDiv, SetLastError, FormatMessageW, LocalFree, GetDriveTypeA, InterlockedDecrement, InterlockedIncrement, LoadLibraryA, lstrlenA, GetVersion, lstrcatW, GetCurrentThreadId, GlobalAddAtomW, GlobalFindAtomW, GlobalDeleteAtom, lstrcpyW, GlobalLock, GlobalUnlock, GlobalFree, LockResource, TerminateProcess, MoveFileExW, SuspendThread, ResumeThread, CreateProcessW, GetVersionExW, WaitForSingleObject, GetCurrentProcess, Sleep, GetSystemDirectoryW, CopyFileW, FindResourceW, LoadResource, SizeofResource, GetTempPathW, CreateMutexW, GetCommandLineW, AllocConsole, SetConsoleTitleW, GetStdHandle, WriteConsoleW, ReadConsoleW, FreeConsole, GetCurrentDirectoryW, GetModuleHandleA, GetModuleHandleW, GetVersionExA, DeleteFileW, SetCurrentDirectoryW, FindFirstFileW, FindNextFileW, GetLastError, FindClose, GetFileAttributesW, CreateDirectoryW, lstrlenW, FileTimeToSystemTime, WideCharToMultiByte, GetUserDefaultLangID, MultiByteToWideChar, LoadLibraryW, GetProcAddress, FreeLibrary, GetTickCount, CreateFileW, ReadFile, SetFilePointer, GetFileSize, WriteFile, CloseHandle, GetModuleFileNameW, GetStartupInfoA
USER32.dll	IsDialogMessageW, SetWindowTextW, MoveWindow, ShowWindow, EnableMenuItem, CheckMenuItem, SetMenuItemBitmaps, ModifyMenuW, GetMenuState, LoadBitmapW, GetMenuCheckMarkDimensions, ClientToScreen, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutW, DrawTextW, GrayStringW, ShowOwnedPopups, SetCursor, ValidateRect, TranslateMessage, GetMessageW, wvsprintfW, DestroyMenu, GetClassNameW, PtInRect, GetDesktopWindow, GetDialogBaseUnits, LoadCursorW, GetSysColorBrush, SetCapture, ReleaseCapture, WaitMessage, GetWindowThreadProcessId, WindowFromPoint, InsertMenuW, GetMenuStringW, SetRectEmpty, LoadAcceleratorsW, TranslateAcceleratorW, LoadMenuW, SetMenu, ReuseDDElParam, UnpackDDElParam, BringWindowToTop, CharUpperW, CheckRadioButton, CheckDlgButton, UpdateWindow, SendDlgItemMessageW, SendDlgItemMessageA, MapWindowPoints, PeekMessageW, DispatchMessageW, GetFocus, SetFocus, AdjustWindowRectEx, EqualRect, DeferWindowPos, BeginDeferWindowPos, EndDeferWindowPos, IsWindowVisible, ScrollWindow, GetScrollInfo, SetScrollInfo, ShowScrollBar, GetScrollRange, SetScrollRange, GetScrollPos, SetScrollPos, GetTopWindow, IsChild, GetCapture, ScrollWindowEx, GetClassInfoW, RegisterClassW, GetMenu, GetMenuItemCount, GetSubMenu, GetMenuItemID, TrackPopupMenu, SetWindowPlacement, GetWindowTextLengthW, GetWindowTextW, GetDlgCtrlID, GetKeyState, DefWindowProcW, CreateWindowExW, SetWindowsHookExW, CallNextHookEx, SetPropW, UnhookWindowsHookEx, GetPropW, CallWindowProcW, RemovePropW, GetMessageTime, GetMessagePos, GetLastActivePopup, GetForegroundWindow, SetForegroundWindow, GetWindow, SetWindowLongW, SetWindowPos, RegisterWindowMessageW, IntersectRect, SystemParametersInfoW, GetWindowPlacement, GetWindowRect, GetNextDlgTabItem, EndDialog, GetActiveWindow, SetActiveWindow, IsWindow, DestroyWindow, GetParent, GetWindowLongW, GetDlgItem, IsWindowEnabled, GetDC, GetSysColor, ReleaseDC, PostQuitMessage, PostMessageW, IsIconic, DrawIcon, UnregisterClassW, GetWindowTextLengthA, HideCaret, ShowCaret, ExcludeUpdateRgn, AppendMenuW, LoadIconW, ExitWindowsEx, wsprintfW, FindWindowExW, GetSystemMenu, DeleteMenu, LoadStringA, MessageBoxA, LoadStringW, MessageBoxW, GetClientRect, GetCursorPos, ScreenToClient, GetSystemMetrics, InvalidateRect, CopyRect, DrawEdge, DrawIconEx, InflateRect, IsDlgButtonChecked, SetDlgItemTextW, SetDlgItemInt, GetDlgItemTextW, WinHelpW, GetDlgItemInt, OffsetRect, FillRect, SendMessageW, RedrawWindow, EnableWindow, CreateDialogIndirectParamW, GetPropA, SetPropA, SetWindowLongA, GetClassNameA, IsWindowUnicode, SendMessageA, GetWindowLongA, SetWindowsHookExA, RemovePropA, CallWindowProcA, CharNextA, DefWindowProcA, DefDlgProcA, GetClassInfoA, DrawFocusRect, DrawTextA, GetWindowTextA
GDI32.dll	SetPolyFillMode, SetROP2, SetStretchBltMode, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, OffsetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, SelectClipRgn, ExcludeClipRect, IntersectClipRect, OffsetClipRgn, MoveToEx, LineTo, SetTextAlign, SetTextJustification, SetTextCharacterExtra, SetMapperFlags, GetCurrentPositionEx, ArcTo, SetArcDirection, SetTextColor, PolylineTo, SetColorAdjustment, PolyBezierTo, DeleteObject, GetClipRgn, CreateRectRgn, SetBkMode, ExtSelectClipRgn, PlayMetaFileRecord, GetObjectType, EnumMetaFile, PlayMetaFile, GetDeviceCaps, GetViewportExtEx, GetWindowExtEx, CreatePen, ExtCreatePen, CreateSolidBrush, CreateHatchBrush, CreatePatternBrush, CreateDIBPatternBrushPt, PtVisible, RectVisible, TextOutW, ExtTextOutW, Escape, GetMapMode, PatBlt, SetRectRgn, CombineRgn, CreateRectRgnIndirect, CreateFontIndirectW, DPtoLP, GetTextMetricsW, ExtTextOutA, GetClipBox, GetDCOrgEx, CreateFontW, GetTextExtentPoint32W, SelectPalette, GetStockObject, SelectObject, RestoreDC, SaveDC, StartDocW, DeleteDC, CreateBitmap, GetObjectW, SelectClipPath, SetBkColor, GetTextExtentPointA, BitBlt, CreateCompatibleDC, PolyDraw, CreateDIBitmap, Rectangle
comdlg32.dll	GetFileTitleW
WINSPOOL.DRV	ClosePrinter, DocumentPropertiesW, OpenPrinterW
ADVAPI32.dll	ControlService, StartServiceW, OpenServiceW, DeleteService, CreateServiceW, OpenSCManagerW, CloseServiceHandle, RegDeleteKeyW, RegDeleteValueW, RegSetValueExW, RegOpenKeyExW, RegCreateKeyExW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyW, RegQueryValueExW, RegCloseKey, QueryServiceStatus
SHELL32.dll	DragQueryFileW, DragFinish, DragAcceptFiles, ShellExecuteW, SHGetFileInfoW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Chinese	Taiwan

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:33:34.788815022 CET	49799	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:33:34.793745041 CET	30203	49799	181.71.216.203	192.168.2.7
Jan 10, 2025 11:33:34.793822050 CET	49799	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:33:34.829684019 CET	49799	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:33:34.834594965 CET	30203	49799	181.71.216.203	192.168.2.7
Jan 10, 2025 11:33:34.834661007 CET	49799	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:33:34.839492083 CET	30203	49799	181.71.216.203	192.168.2.7
Jan 10, 2025 11:33:56.189295053 CET	30203	49799	181.71.216.203	192.168.2.7
Jan 10, 2025 11:33:56.189413071 CET	49799	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:33:56.198262930 CET	49799	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:33:56.203186035 CET	30203	49799	181.71.216.203	192.168.2.7
Jan 10, 2025 11:33:56.354326010 CET	49925	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:33:56.359231949 CET	30203	49925	181.71.216.203	192.168.2.7
Jan 10, 2025 11:33:56.359708071 CET	49925	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:33:56.361188889 CET	49925	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:33:56.366030931 CET	30203	49925	181.71.216.203	192.168.2.7
Jan 10, 2025 11:33:56.369227886 CET	49925	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:33:56.374111891 CET	30203	49925	181.71.216.203	192.168.2.7
Jan 10, 2025 11:34:17.748001099 CET	30203	49925	181.71.216.203	192.168.2.7
Jan 10, 2025 11:34:17.748334885 CET	49925	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:34:17.748334885 CET	49925	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:34:17.753268003 CET	30203	49925	181.71.216.203	192.168.2.7
Jan 10, 2025 11:34:17.854283094 CET	49971	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:34:17.859457970 CET	30203	49971	181.71.216.203	192.168.2.7
Jan 10, 2025 11:34:17.859658003 CET	49971	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:34:17.860388041 CET	49971	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:34:17.865174055 CET	30203	49971	181.71.216.203	192.168.2.7
Jan 10, 2025 11:34:17.865281105 CET	49971	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:34:17.870110989 CET	30203	49971	181.71.216.203	192.168.2.7
Jan 10, 2025 11:34:39.200934887 CET	30203	49971	181.71.216.203	192.168.2.7
Jan 10, 2025 11:34:39.201050043 CET	49971	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:34:39.201230049 CET	49971	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:34:39.206054926 CET	30203	49971	181.71.216.203	192.168.2.7
Jan 10, 2025 11:34:39.307499886 CET	49972	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:34:39.312429905 CET	30203	49972	181.71.216.203	192.168.2.7
Jan 10, 2025 11:34:39.312550068 CET	49972	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:34:39.313517094 CET	49972	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:34:39.318317890 CET	30203	49972	181.71.216.203	192.168.2.7
Jan 10, 2025 11:34:39.318523884 CET	49972	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:34:39.323318958 CET	30203	49972	181.71.216.203	192.168.2.7
Jan 10, 2025 11:35:00.683332920 CET	30203	49972	181.71.216.203	192.168.2.7
Jan 10, 2025 11:35:00.686790943 CET	49972	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:35:00.687334061 CET	49972	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:35:00.692145109 CET	30203	49972	181.71.216.203	192.168.2.7
Jan 10, 2025 11:35:00.792022943 CET	49973	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:35:00.796830893 CET	30203	49973	181.71.216.203	192.168.2.7
Jan 10, 2025 11:35:00.797355890 CET	49973	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:35:00.797895908 CET	49973	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:35:00.802757978 CET	30203	49973	181.71.216.203	192.168.2.7
Jan 10, 2025 11:35:00.803339005 CET	49973	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:35:00.808223009 CET	30203	49973	181.71.216.203	192.168.2.7
Jan 10, 2025 11:35:13.671345949 CET	49973	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:35:13.676167011 CET	30203	49973	181.71.216.203	192.168.2.7
Jan 10, 2025 11:35:13.683341026 CET	49973	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:35:13.688096046 CET	30203	49973	181.71.216.203	192.168.2.7
Jan 10, 2025 11:35:16.060723066 CET	49973	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:35:16.065588951 CET	30203	49973	181.71.216.203	192.168.2.7
Jan 10, 2025 11:35:16.067142963 CET	49973	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:35:16.071928978 CET	30203	49973	181.71.216.203	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:33:34.768160105 CET	50156	53	192.168.2.7	1.1.1.1
Jan 10, 2025 11:33:34.783639908 CET	53	50156	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 11:33:34.768160105 CET	192.168.2.7	1.1.1.1	0x5d44	Standard query (0)	newstaticfreepoint24.ddns-ip.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 11:33:34.783639908 CET	1.1.1.1	192.168.2.7	0x5d44	No error (0)	newstaticfreepoint24.ddns-ip.net		181.71.216.203	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	05:33:08
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\PDFonlineseguro.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PDFonlineseguro.exe"
Imagebase:	0x400000
File size:	2'334'801 bytes
MD5 hash:	FDDCC6DB43B7AEA103C315249BC12BBE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:33:30
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Imagebase:	0x5e0000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.2514402981.0000000007FD3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.2513804925.0000000006B60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.2513943972.0000000006E31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	17.9%
Dynamic/Decrypted Code Coverage:	98.8%
Signature Coverage:	32.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	300

Executed Functions

Function 008F6465 Relevance: 31.9, APIs: 1, Strings: 20, Instructions: 367
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 008F68B4

Strings

M, xrefs: 0090DD99
m, xrefs: 0090DDA7
W, xrefs: 0090DCE1
y, xrefs: 0090DDBC
o, xrefs: 0090DD76
c, xrefs: 0090DD7D
e, xrefs: 0090DDA0
o, xrefs: 0090DDAE
s, xrefs: 0090DD8B
s, xrefs: 0090DD92
e, xrefs: 0090DD84
t, xrefs: 0090DD5A
P, xrefs: 0090DD68
r, xrefs: 0090DDB5
r, xrefs: 0090DD6F
W, xrefs: 0090DD45
e, xrefs: 0090DD61
r, xrefs: 0090DD4C
i, xrefs: 0090DD53
7G3K, xrefs: 0090E3EB

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID: 7G3K$M$P$W$W$c$e$e$e$i$m$o$o$r$r$r$s$s$t$y
API String ID: 4275171209-2769547580
Opcode ID: 2840d8ad5d51b2ace4994d8eee50234126863668c224d8dd2e3d3f821928bae3
Instruction ID: a4b22e1dfac8553338077540796ff872636171f4612a16193f68cddb3057f368
Opcode Fuzzy Hash: 2840d8ad5d51b2ace4994d8eee50234126863668c224d8dd2e3d3f821928bae3
Instruction Fuzzy Hash: 4DE1E1B1D092A89EFB208A14DC44BEABB75EF91304F0440F9D54D9B282D2BD5ED5CF62

Function 00908DD9 Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 425
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000002), ref: 009093BF

Strings

x, xrefs: 009094BB
r, xrefs: 0090948A
l, xrefs: 0090947C
t, xrefs: 009094AD
i, xrefs: 00909459
u, xrefs: 0090946E
c, xrefs: 009094A6
V, xrefs: 00909452
P, xrefs: 00909483
a, xrefs: 00909475
o, xrefs: 00909491
E, xrefs: 009094B4
e, xrefs: 0090949F
t, xrefs: 00909498
r, xrefs: 00909460
t, xrefs: 00909467

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID: E$P$V$a$c$e$i$l$o$r$r$t$t$t$u$x
API String ID: 4275171209-4025948460
Opcode ID: d95b60aa00213f5eb43a2287cf35ae4aa1d40fd6b3fdf40145debedbd6467a40
Instruction ID: c4629e9d0dbf3a6c86cb510f933223b6c82638235adc6501b40651cbff437be3
Opcode Fuzzy Hash: d95b60aa00213f5eb43a2287cf35ae4aa1d40fd6b3fdf40145debedbd6467a40
Instruction Fuzzy Hash: E3F118B2D081689FE7208614DC84BEBBBB9EB81314F1481FAD94D66281D67D6FC1CF91

Function 0041290D Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 490
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000041,00412E62,0041307C,00412E62,?,?,?,?,?,?,00000019,00000019,?,?,004129FE,004129FE), ref: 00413418

Strings

9EBN, xrefs: 0041290D
7D52, xrefs: 004129C7

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID: 7D52$9EBN
API String ID: 1029625771-780101925
Opcode ID: 388f1a279dd8bf3357b554f46f65a7b10d8751f4d34d2846fe6e885a3c82476a
Instruction ID: 0ad503646254e4b4fb3b36782f0a59c631594f6a4f774dda271bb14b5d07a41a
Opcode Fuzzy Hash: 388f1a279dd8bf3357b554f46f65a7b10d8751f4d34d2846fe6e885a3c82476a
Instruction Fuzzy Hash: 810227B2C181988FF724CB28CD45BEABB79EB94304F1441FAD40D96181D6BE5BC68F16

Function 0092FE3E Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5BE@, xrefs: 0092FCEF
R, xrefs: 0092FDC6

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID: 5BE@$R
API String ID: 0-2534193496
Opcode ID: 9be05883effbd765ad09778a22db58125baecafd0f900ba8d5cb8ca3408383c9
Instruction ID: c6c32ef06a915355ac31698b3d9d4c62a70d879895945fb7ebc51a51c319b831
Opcode Fuzzy Hash: 9be05883effbd765ad09778a22db58125baecafd0f900ba8d5cb8ca3408383c9
Instruction Fuzzy Hash: F9A137B2D04264AFE7248B20ECA0BFB7778FB81314F1441FAE94956285E6394FC5CB51

Function 008FCFD7 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 254
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 008FD695

Strings

PN;9, xrefs: 008FCE03
jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: PN;9$jjjj
API String ID: 963392458-917699060
Opcode ID: 860393547b343024866ab0c8858a119930165002cf97ba93c2d6d78672ffaeea
Instruction ID: 0b5475607b526f931ff2b02b4059af036960cd5e587f3e4609d9766a8d489e9f
Opcode Fuzzy Hash: 860393547b343024866ab0c8858a119930165002cf97ba93c2d6d78672ffaeea
Instruction Fuzzy Hash: 148125B2C0461C9EF7248B24DC85BFB7775FB80314F1441BAEA09A6684EA7C5FC58A52

Function 0092FBE5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5BE@, xrefs: 0092FCEF
R, xrefs: 0092FDC6

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID: 5BE@$R
API String ID: 0-2534193496
Opcode ID: 0f1000a637287439bb5450c8a5a2c0ad81dd7fb3743d230fe0d5ce1f95db1d11
Instruction ID: 98a8ddf0fb3eb6349999515d037e153fe3461a0ef06f71fba192f69bdd997400
Opcode Fuzzy Hash: 0f1000a637287439bb5450c8a5a2c0ad81dd7fb3743d230fe0d5ce1f95db1d11
Instruction Fuzzy Hash: AF7124B2D042646FF7248620EC55BEB7778EBC1310F1480BAE84D66281D6795FC6CF52

Function 00412563 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 645
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

7D52, xrefs: 004129C7

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID: 7D52
API String ID: 0-1372432686
Opcode ID: a32bbe8712de0054964fbb48e9575b64ab83cad968acde3ee586f41c73f5ab47
Instruction ID: 28635b83c59c4553ed9047865ddeb6010a42a8af37995a5bd21a88313d097467
Opcode Fuzzy Hash: a32bbe8712de0054964fbb48e9575b64ab83cad968acde3ee586f41c73f5ab47
Instruction Fuzzy Hash: 2D3223B1D082588FE724CB28CD84BEABB79EB85304F1441FAD40D96281D6BE5BC5CF16

Function 00412C5E Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 432COMMON

Download Yara Rule

Strings

H69P, xrefs: 00412C5E

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID: H69P
API String ID: 1029625771-988670626
Opcode ID: e8bf6bdb9c8d6e1b828e4a5418bc28f2ca10aa74148031e08321036c686d118d
Instruction ID: 8094dba36aa06f8fead93d5423ff4b9bd7308fcc850a1e2f600cceda2a4872b9
Opcode Fuzzy Hash: e8bf6bdb9c8d6e1b828e4a5418bc28f2ca10aa74148031e08321036c686d118d
Instruction Fuzzy Hash: B0F127B2D181588BF724CB38CD45BEABB79EB94304F1481FAD40D96180D6BE5BC58F26

Function 0092925E Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 681beac023ffa6d458f59b45752725a787753f2ba695c30acbbe005ddaca77eb
Instruction ID: c2b16026363b469fb939d3c29d4f406655b1e415cba3d08f0a5905b6f81e87d8
Opcode Fuzzy Hash: 681beac023ffa6d458f59b45752725a787753f2ba695c30acbbe005ddaca77eb
Instruction Fuzzy Hash: 3AB147F3C14125AFF7248B14EC85BEB77A8EB90310F1481FAD90D56685E63C9FC68A61

Function 0041C26C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

87J=, xrefs: 0041C43F

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID: 87J=
API String ID: 0-1728124889
Opcode ID: b902892d12abfeabe201e418613c91f4c99f889eee56b3a251b18c745c4c45c4
Instruction ID: 18051e2a7fe5abdc85e49c4781780e6a560778dfd0343a5f280e073013bd8e3a
Opcode Fuzzy Hash: b902892d12abfeabe201e418613c91f4c99f889eee56b3a251b18c745c4c45c4
Instruction Fuzzy Hash: 11A1E6F2D44218AFE7248A24ECC5BFB7779EB80310F1481BBD94D96240E67D5EC28B56

Function 008FC42C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 283processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 008FD695

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 580e8fe5324a4991a85e2981a1c1a1bde611170f82d6f1a973f8f881a2b20035
Instruction ID: 33fc2beffd2c66004ccf4000c4de940e6aefaf98daeb2d8c0c23c25d89ca55ec
Opcode Fuzzy Hash: 580e8fe5324a4991a85e2981a1c1a1bde611170f82d6f1a973f8f881a2b20035
Instruction Fuzzy Hash: B4A107B2D0412C9BE7208A24DC55BFBB779FF84314F1481F9D90DA6280E6796FC18E91

Function 008FB522 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: d68bce638fa5220f60e8042a8d58cdbb6b21695accfe383635932b9ceb3defb1
Instruction ID: a7cbae0df243b5a44ec3904ca7fad097feb6c3b488a99edce57271cd4bf704d7
Opcode Fuzzy Hash: d68bce638fa5220f60e8042a8d58cdbb6b21695accfe383635932b9ceb3defb1
Instruction Fuzzy Hash: BA8118F2D0471C5BF3248A24EC95BF77769EB80310F1441BAEA0DA6680DA7D5FC58A62

Function 00928E58 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 264registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0092A26A

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 5e8ca8d49d14d35c8c3c2b2fb1d77dd357b82468a697eeaf8f8f3b7c29590e55
Instruction ID: 8956935140caeddad3993c196a7815f1d428acf8aaeb2213f37c49664caebbfd
Opcode Fuzzy Hash: 5e8ca8d49d14d35c8c3c2b2fb1d77dd357b82468a697eeaf8f8f3b7c29590e55
Instruction Fuzzy Hash: 9DB1B0B1D092289BEB34CB18DC45BEAB7B5EB98314F1441FAD90DA2240D6785FC5CF11

Function 008FCA85 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 5f3959ec7534d944bc05177316b061b055cc0c70627cadb9dbb1866f3a09ebe5
Instruction ID: da15272b830241d3d643fc75d18893d9ee2dd0f1d6db559dee3bb8bb2b85106f
Opcode Fuzzy Hash: 5f3959ec7534d944bc05177316b061b055cc0c70627cadb9dbb1866f3a09ebe5
Instruction Fuzzy Hash: 3D8148F2D0471C5BF3244A24EC95BF77769FB80310F1481BAEA0DA6680DA7D5FC18A62

Function 0041B54D Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Strings

JCE@, xrefs: 0041B84F

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID: JCE@
API String ID: 544645111-1558425100
Opcode ID: 9cedc28ff546090686a5b71c163a9002017febe2a9c1c14bb06c3cf469e78445
Instruction ID: 7c07c533459c0fab80da28bad5399094b37ef33f10413664306e2c247ee26706
Opcode Fuzzy Hash: 9cedc28ff546090686a5b71c163a9002017febe2a9c1c14bb06c3cf469e78445
Instruction Fuzzy Hash: 7EA1CEB1D046698BEB248F28DD40BEAB7B5EF85314F1481FAD84D62640E7385FC28F46

Function 00933E83 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 529COMMON

Download Yara Rule

Strings

7[W, xrefs: 00933E84

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID: 7[W
API String ID: 4275171209-3315053996
Opcode ID: 0b238b7472536576de0eaa89319c2746d7fec5600f0d5e45c186bc70ca89f7b1
Instruction ID: 04c14205f5427766981186f808a11960df9d557738b8cd07c2e1b9361b0df39a
Opcode Fuzzy Hash: 0b238b7472536576de0eaa89319c2746d7fec5600f0d5e45c186bc70ca89f7b1
Instruction Fuzzy Hash: 4B12F3B2D045589BF7248A24DC45BEBB779EF94310F0481FAD80EA6380E6795FC68F52

Function 008F596E Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 379memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 008F68B4

Strings

Q, xrefs: 008F5DED

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID: Q
API String ID: 4275171209-854704334
Opcode ID: 28023f95217fbddc69f3cd1a1ef6953d817c046618b775a154bcd722bf72e17a
Instruction ID: eccf1adf37814ab04633d8280308a29c1065cb9bcb3d34ce1768feb8cf934517
Opcode Fuzzy Hash: 28023f95217fbddc69f3cd1a1ef6953d817c046618b775a154bcd722bf72e17a
Instruction Fuzzy Hash: E4D121B1D049689FEB248A24DC84BFB77B9FF81315F1881FADA4996241D6395FC1CE02

Function 0092E012 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 314COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Strings

9PF8, xrefs: 0092FBDE

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID: 9PF8
API String ID: 2962429428-1325012634
Opcode ID: b71e861dcaa05508153e3fb1a8efbd14076cae238c1631f31d6d18ea8864ae08
Instruction ID: 6d07fe7d3f992f7d41b6fa3ead382af49175ce73b9a1877237d9a7cf5b4f75fb
Opcode Fuzzy Hash: b71e861dcaa05508153e3fb1a8efbd14076cae238c1631f31d6d18ea8864ae08
Instruction Fuzzy Hash: 5FC1E4B1D041689BEB21CB24DC41AEAB7B5EF85300F1480FAE44DA7645E6395FC6CF12

Function 0092D158 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

N>=^, xrefs: 0092D15A

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID: N>=^
API String ID: 2962429428-2453736645
Opcode ID: f2ba91f93cee4a64ab5c2b041160315baf4e02651a5acd1eee42214706048948
Instruction ID: 868ef61eb9a2f4a6087071364ac750ed1331a3eb5653ad1eb0d3e3f2b1f96993
Opcode Fuzzy Hash: f2ba91f93cee4a64ab5c2b041160315baf4e02651a5acd1eee42214706048948
Instruction Fuzzy Hash: 77B1C1B1D082689BEB218B24DC817EAB7B5EF85300F1480FAD44DA7655E6395FC6CF12

Function 00412D96 Relevance: 2.1, APIs: 1, Instructions: 565COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 844736d566c9949d759c28b661a38c96250939338e72ba80e6897733ca4178b0
Instruction ID: a173627131be94053c38d50b0cf7b5fa1860886e6855db00a7ec937b861afdaf
Opcode Fuzzy Hash: 844736d566c9949d759c28b661a38c96250939338e72ba80e6897733ca4178b0
Instruction Fuzzy Hash: C12226B2D141589BF724CA28DD45BEBBB79EB84304F1481FAD40D96280D6BE5FC18F26

Function 00412B27 Relevance: 2.0, APIs: 1, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a0ed88fdf0d14caa6f1c92632f8a1346dc6d36a9a4a31beb25bc8656c488c85
Instruction ID: 7c85355221240f41de74326fdff2f1a7ae86c1bf6ca75994b514ec8b829345d4
Opcode Fuzzy Hash: 7a0ed88fdf0d14caa6f1c92632f8a1346dc6d36a9a4a31beb25bc8656c488c85
Instruction Fuzzy Hash: 951227B2D182549BF724CB28DD45BEABB79EB84304F1481FAD40D96280D6BE5FC18F16

Function 00412B56 Relevance: 2.0, APIs: 1, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28eb5d946aafb5ab38582e9f7e75354ad0bd14b2301f49fba208290e2956533a
Instruction ID: 22d2c32c0d91f1c78b09544b5dd75fd39f145da0adcf4e7265f22805e416450a
Opcode Fuzzy Hash: 28eb5d946aafb5ab38582e9f7e75354ad0bd14b2301f49fba208290e2956533a
Instruction Fuzzy Hash: D91238B2D141549BF724CB28DD45BEABB79EB94304F1481FAD40D96280D6BE4FC18F26

Function 00909992 Relevance: 2.0, APIs: 1, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed8fcccd79bc3d01024919b50b6a039b76a3f0d0a1b0e5d0d8fac65eb87405f3
Instruction ID: 703754ce3aec0ff484b74968f458de6edff6eff5463581fce0c83a04c720e3b0
Opcode Fuzzy Hash: ed8fcccd79bc3d01024919b50b6a039b76a3f0d0a1b0e5d0d8fac65eb87405f3
Instruction Fuzzy Hash: BBF153B2D142249EF7248A24EC55BFB7B79EF80310F1441BED90E962C1E67D5EC18B62

Function 00412BBC Relevance: 2.0, APIs: 1, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 48c79f17db4bbdab8238a62883930746de4f6a842710fc9d9e2672a12c15f4e1
Instruction ID: 81728ae1035b69c65c435d74047e3fd55e77e1595250ec8848dd5e198627b974
Opcode Fuzzy Hash: 48c79f17db4bbdab8238a62883930746de4f6a842710fc9d9e2672a12c15f4e1
Instruction Fuzzy Hash: 8F0227B2D142588BF724CB28DD45BEABB79EB94304F1481FAD40D96280D6BE4BC1CF16

Function 00412CD6 Relevance: 1.9, APIs: 1, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8f9c9fd2e8352cb39c2ceeaff6cce883233f4c52b81fc1f69e6b140e1ced607c
Instruction ID: 6986e7f274646809a6809a72d5b31373262e71a518affd45ecc4021f0a99713c
Opcode Fuzzy Hash: 8f9c9fd2e8352cb39c2ceeaff6cce883233f4c52b81fc1f69e6b140e1ced607c
Instruction Fuzzy Hash: A4F117B1C182988EF724CB38DD44BEABB79EB84304F1481FAD40D96180D6BE5BC58F16

Function 00412A0D Relevance: 1.9, APIs: 1, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cccc17b14d395cdb45b9ec73bfca49c8ead673568b802d1373a9b2a403c308c7
Instruction ID: 83b282850b8819d6e079432a72c5561f8af0fd921ee256f7d2bf466a2132812e
Opcode Fuzzy Hash: cccc17b14d395cdb45b9ec73bfca49c8ead673568b802d1373a9b2a403c308c7
Instruction Fuzzy Hash: 1BF117B1D182988FF724CA38CD45BEABB79EB94304F0441FAD40D96181D6BE5BC58F16

Function 0090E423 Relevance: 1.9, APIs: 1, Instructions: 421injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0090FCA9

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a0cfa95f62b713d4b5b2ad63126d967e1d1d9a99ea3694eca4423351550cbb3a
Instruction ID: a657144d9c5ff40d2a113891cb125f8512789244c7de768db17e9e8bd9458071
Opcode Fuzzy Hash: a0cfa95f62b713d4b5b2ad63126d967e1d1d9a99ea3694eca4423351550cbb3a
Instruction Fuzzy Hash: 74F192B2D142299FF7248B14DC49AEAB7B9FB84310F1485FAD90DA2280E7785FC5CE51

Function 00412AB5 Relevance: 1.9, APIs: 1, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fa8dcc40399ba58940eec5269bb6987e987b93cb2d2b6eb660671d8dc5731f5d
Instruction ID: c25d04bd29c8a3d81523e2d42302542de30dbcc5fb8d11a4564b7a0acb7e96ed
Opcode Fuzzy Hash: fa8dcc40399ba58940eec5269bb6987e987b93cb2d2b6eb660671d8dc5731f5d
Instruction Fuzzy Hash: 88F117B2D181988EF724CB39CD45BEABB79EB94304F0441FAD40D96180D6BE5BC58F26

Function 00412A36 Relevance: 1.9, APIs: 1, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e19865baed9857a9871f5a2c4026b740feb3f1306b8b91b4c41d32991e465569
Instruction ID: 87b71de2888bc784b0aff099216720c17f58e05d3d98153aad8e7a02ce3af28f
Opcode Fuzzy Hash: e19865baed9857a9871f5a2c4026b740feb3f1306b8b91b4c41d32991e465569
Instruction Fuzzy Hash: 58F117B2C182988FF724CA38CD45BEABB79EB94304F0441FAD40D96184D6BE5BC58F16

Function 00412D4D Relevance: 1.9, APIs: 1, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ed44a851c4c88b6acc7d0c5ffcb4c16f133bad70cf4c6b353ba0cf9af325c3d8
Instruction ID: 08d61c9abd71276e7bcfed4828cb8acbf5f67dcd0b3ce84d905c49c9e02a34c6
Opcode Fuzzy Hash: ed44a851c4c88b6acc7d0c5ffcb4c16f133bad70cf4c6b353ba0cf9af325c3d8
Instruction Fuzzy Hash: FBF116B1C182988FF724CA38CD45BEABB79EB94304F1481FAD40D96184D6BE5BC58F16

Function 00412AE3 Relevance: 1.9, APIs: 1, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 24fed693930847171cb546ed7d790dcbe27ddc843ae221ade6dac0c7e475ee30
Instruction ID: 9eadc7cde2efaaed1b984a5d12404e531f3767a4414aa6475e8c9ff78dbeae85
Opcode Fuzzy Hash: 24fed693930847171cb546ed7d790dcbe27ddc843ae221ade6dac0c7e475ee30
Instruction Fuzzy Hash: 79F116B1C182988BF724CA28CD45BEABB79EB94304F1481FAD40D96184D6BE5BC58F16

Function 0090EC7B Relevance: 1.9, APIs: 1, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ca2cc11fed54ff4a54fac0d5f06d717f27019c868a4a1cea5b541b111a9eb6
Instruction ID: 011d0f6c7f4ebfb369d6ae016e755401389ecc4c48676ddc07eebedd012066bd
Opcode Fuzzy Hash: e3ca2cc11fed54ff4a54fac0d5f06d717f27019c868a4a1cea5b541b111a9eb6
Instruction Fuzzy Hash: E0D103B2D081689FF724CB24DC95AEABB79EB81310F2441FAD94D56281D73C6EC2CE51

Function 0090959F Relevance: 1.9, APIs: 1, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 048d8cef36c1a6b0f3dcf6a217b5784af81f396fbd57b81e44ebb6231e41d6c2
Instruction ID: 487ad4f8eaa975c9e9bd421b396ecd77e8196b0bf39c28c054a81902cb6f6a03
Opcode Fuzzy Hash: 048d8cef36c1a6b0f3dcf6a217b5784af81f396fbd57b81e44ebb6231e41d6c2
Instruction Fuzzy Hash: 40C157B2D046149EF7108A24EC95BFB7778EF90310F1481BAD90E966C1E67E5EC1CB62

Function 0090984B Relevance: 1.8, APIs: 1, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e792d18e2530fa9b3b3c003973df3210de8169a801fd0bdaed6d9d00000a9d4
Instruction ID: e16c8e982c4264f3371179c2231b54a10db468c26e38be4971b37cccc0c02de4
Opcode Fuzzy Hash: 0e792d18e2530fa9b3b3c003973df3210de8169a801fd0bdaed6d9d00000a9d4
Instruction Fuzzy Hash: ACC132B2D142249EF7208B24DC54BFB7679EF91310F1481BAE90D962C1E67D5EC1CB62

Function 004120B2 Relevance: 1.8, APIs: 1, Instructions: 332libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(00000041,00412E62,0041307C,00412E62,?,?,?,?,?,?,00000019,00000019,?,?,004129FE,004129FE), ref: 00413418

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f73b989c36e49737ba16bcb8db3207c3d024309a4faf8c23682ed0e059c3e122
Instruction ID: 68fcf2f6689c69d927717ee79365b4a85c972a433720d20fd96375829fbe019e
Opcode Fuzzy Hash: f73b989c36e49737ba16bcb8db3207c3d024309a4faf8c23682ed0e059c3e122
Instruction Fuzzy Hash: 81D107B1C181988AF724CB28CD45BEABB79EB94304F1481FAC40D96184D6BF5BC58F16

Function 004133D4 Relevance: 1.8, APIs: 1, Instructions: 329libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(00000041,00412E62,0041307C,00412E62,?,?,?,?,?,?,00000019,00000019,?,?,004129FE,004129FE), ref: 00413418

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e18c0113196cbf197c9c0a09fd3ea4d64e1c55021d881bc928c383aefc03d63d
Instruction ID: 9c546136633581368c643fc48e5b2d4f0d65dfec77795a479303ee077f8a157c
Opcode Fuzzy Hash: e18c0113196cbf197c9c0a09fd3ea4d64e1c55021d881bc928c383aefc03d63d
Instruction Fuzzy Hash: 04D106B1C186988EF724CB28CD45BEABB79EB44304F0481FAC40D96184D6BB5BC5CF16

Function 0041303C Relevance: 1.8, APIs: 1, Instructions: 327libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(00000041,00412E62,0041307C,00412E62,?,?,?,?,?,?,00000019,00000019,?,?,004129FE,004129FE), ref: 00413418

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 197fba5ed2fa1d1acc950096ed80ae44aec4a453ac70a99a872013438e5d4b5f
Instruction ID: 685db6e6754c034d7e57d24a7f2ee9e1369a5a20694af23d03f85a1bccd5a8ed
Opcode Fuzzy Hash: 197fba5ed2fa1d1acc950096ed80ae44aec4a453ac70a99a872013438e5d4b5f
Instruction Fuzzy Hash: 5AD106B1D182988AF724CB28CD45BEABB79EB94304F0481FAC40D96184C6BB5BC5CF16

Function 00412905 Relevance: 1.8, APIs: 1, Instructions: 327libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(00000041,00412E62,0041307C,00412E62,?,?,?,?,?,?,00000019,00000019,?,?,004129FE,004129FE), ref: 00413418

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9685453c858acef7bbe08a609eba0d138d8fff13938d5bed7f656a7703b5964d
Instruction ID: ba361cb80cab4e2aa1748923d4768de877caf7156e757222a378a47da172c41c
Opcode Fuzzy Hash: 9685453c858acef7bbe08a609eba0d138d8fff13938d5bed7f656a7703b5964d
Instruction Fuzzy Hash: 81D107B1C185998AF724CB28CD45BEABB79EB54304F1481FAC40D9A184C6BF5BC58F16

Function 004144E2 Relevance: 1.8, APIs: 1, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 3be3174dd3cd9d79a627e91fdefaaa32ff7f2729f6bf8127ef592b982d6a05ed
Instruction ID: 96c8c416ef09b65182ac49eb9859cb1ec8255d27186aa3d180cefa8ec86ead54
Opcode Fuzzy Hash: 3be3174dd3cd9d79a627e91fdefaaa32ff7f2729f6bf8127ef592b982d6a05ed
Instruction Fuzzy Hash: 97D18071E046688BDB24CB28CD50BDABBB5EF89314F1481EAD84DA7640DB785BC5CF06

Function 0093413A Relevance: 1.8, APIs: 1, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fbe901cf6143a8eb8d98041d06f2c6ba56e78e64c0a2503e73adda28b62a49d2
Instruction ID: 3894d242a1016a62031ae219b8cc3fa908a0c3528fd616ca7727f4cb5470888e
Opcode Fuzzy Hash: fbe901cf6143a8eb8d98041d06f2c6ba56e78e64c0a2503e73adda28b62a49d2
Instruction Fuzzy Hash: 9F12F2B2D045549BF7248B24DC45BEBB779EF94310F1481FAE80EA6380E6395EC68F52

Function 0092D564 Relevance: 1.8, APIs: 1, Instructions: 546COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: cf6b0ef9e43c76231d47be816256593b5ca41b43bbe4d4e47af66ca22d1d84bf
Instruction ID: f70bb2b9d2e59142af73a13e7f234ffaba5a3ceacf7a6218068c3442be7c293b
Opcode Fuzzy Hash: cf6b0ef9e43c76231d47be816256593b5ca41b43bbe4d4e47af66ca22d1d84bf
Instruction Fuzzy Hash: 9B2216B2D051649BE7248B24DC85BEAB7B5EF85310F1480FAE80DA7245D6385FC6CF52

Function 0090A444 Relevance: 1.8, APIs: 1, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b52ad58f9f3e527aea48f0031ae447d1224f7446b4abdbe1b419ba34039b9eec
Instruction ID: ddfe8b74e73b63d3e83e9b278a76ad43540f32ed2bfe7d6527ee3f62716df26f
Opcode Fuzzy Hash: b52ad58f9f3e527aea48f0031ae447d1224f7446b4abdbe1b419ba34039b9eec
Instruction Fuzzy Hash: D8B145B2E142149FE7288A14DC94AEA77B9EB80310F1541FEE90D972C1D73D6EC18E92

Function 00933E7C Relevance: 1.8, APIs: 1, Instructions: 527COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7b21e0b2bef6690b3aa9fc7a5c8d50a79e4d561df52c152aad01dbc30c9e9c50
Instruction ID: 46349d54f7ac578d2fdf1a5e65fd08a1a7692d39cf5cbb7adb50a648949d5291
Opcode Fuzzy Hash: 7b21e0b2bef6690b3aa9fc7a5c8d50a79e4d561df52c152aad01dbc30c9e9c50
Instruction Fuzzy Hash: BF12F3B2D045589BF7248A14DC45BEBB779EF94310F1481FAD80EA6380E6395FC68F52

Function 0041B314 Relevance: 1.7, APIs: 1, Instructions: 236memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0140f9e48abfe85ad68b6e47ee759a07724a956fd4cc8692ad96253a84439f59
Instruction ID: 15dcfd778898b3ce6832c1a44629109f08f74687ff8f40f831ff671d724ece92
Opcode Fuzzy Hash: 0140f9e48abfe85ad68b6e47ee759a07724a956fd4cc8692ad96253a84439f59
Instruction Fuzzy Hash: 4571E7F2D141249EF7208A25DC85BFB7779EF85310F1481BBE94D96640E23C5EC28AA7

Function 0092EDFE Relevance: 1.7, APIs: 1, Instructions: 230fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00930631

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 31822dbf289aef4df6e32976faaccfb6202d25443d5fa6dee9a27f7e663600a7
Instruction ID: 2f2849ed1bd1c2d124ca93f2bc11c04e945c198c9a742bfe037e915e578295f0
Opcode Fuzzy Hash: 31822dbf289aef4df6e32976faaccfb6202d25443d5fa6dee9a27f7e663600a7
Instruction Fuzzy Hash: FE7127F2D04224AFF7248A21EC55BFB7B78FB81310F1581BAE94D56280D6785FC18B92

Function 0090F0D5 Relevance: 1.7, APIs: 1, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 80bacb90ebba5bfe33d3852e4ca0bf8bb1a024255b67ed88ea578d910e0cbdeb
Instruction ID: 8e4d7bc80c36a560d819fc95325cc069f1b93cf40564af95884243f3a55380bb
Opcode Fuzzy Hash: 80bacb90ebba5bfe33d3852e4ca0bf8bb1a024255b67ed88ea578d910e0cbdeb
Instruction Fuzzy Hash: B37127F2D086189FF7348B54DC95AE77B68EB81310F1442FED94E42680D73C5EC68A52

Function 0041C00B Relevance: 1.7, APIs: 1, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31dbf633aa006d1c5928237ce6c2e3f9b1082b282022c84a0b0f03e239399d03
Instruction ID: c6c6a236b98ead54bc5c1405ed2cfbeb93079af9db1b2ed2cbde8b8eb090ef9d
Opcode Fuzzy Hash: 31dbf633aa006d1c5928237ce6c2e3f9b1082b282022c84a0b0f03e239399d03
Instruction Fuzzy Hash: 7471FAF2D44218AFF7248A14EC85BFB7779EB80710F1080BAE94D96240E67D5EC18B55

Function 00909F4D Relevance: 1.7, APIs: 1, Instructions: 216COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,00001000,00000040,?), ref: 0090B3C8

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 34685260680448ff6737195677eb30f2e55af384ab0127260b8533547a0f3730
Instruction ID: 3415d443cdca6769374a1cde48ec8cab0c0a378c2d60a67e4d5c32b4cad41b1c
Opcode Fuzzy Hash: 34685260680448ff6737195677eb30f2e55af384ab0127260b8533547a0f3730
Instruction Fuzzy Hash: AF7107B2D012249FF7208A14EC85BEB7779EF91310F1481BAE90D56681E6795EC1CB62

Function 0092DEDA Relevance: 1.7, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 467ee1954c5fc635aa634afa7d59deab3c858c04b06ce9e3d70abb1cb1e853b0
Instruction ID: d44a777db51f8b28e443b60a329e8a82ca2a40ff77446df5fb9420008b07b920
Opcode Fuzzy Hash: 467ee1954c5fc635aa634afa7d59deab3c858c04b06ce9e3d70abb1cb1e853b0
Instruction Fuzzy Hash: ED02D5B1D151689BE7208B24EC81BEAB7B9EF85310F1480FAD44DA7241E6395FC6CF52

Function 0041C054 Relevance: 1.7, APIs: 1, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abea441612a0f467895e79582060ed38df3af34d84f1c1ea1cbed8c310e11844
Instruction ID: 957819c9f192194d9daf0ff4e04562e90351947be2dcaa4b7241ca887b0d445c
Opcode Fuzzy Hash: abea441612a0f467895e79582060ed38df3af34d84f1c1ea1cbed8c310e11844
Instruction Fuzzy Hash: 0A6107F2D40118AFF7248A15EC85BFB7739EBC0710F1081BAE90D96240EA7D5EC18B66

Function 0092C45E Relevance: 1.7, APIs: 1, Instructions: 206registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,?,00000000,00000001,?,?,?,?,?,?,?,?,?,009086BE,?,009086BE), ref: 0092C4DE

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 36e682b40685ef7ee5bbb4c8eaa04a6af8d5f652a3700dd43070738bb5e2fa9a
Instruction ID: dfda702ecb2c56e89fc0dc86a0bf2d349e91539c442e031d2ec53aef4bf72069
Opcode Fuzzy Hash: 36e682b40685ef7ee5bbb4c8eaa04a6af8d5f652a3700dd43070738bb5e2fa9a
Instruction Fuzzy Hash: 199190B1D082689FEB25CB18DC956EABBB5EF84314F0441EAE84DA2640D7785FC5CF42

Function 00933E00 Relevance: 1.7, APIs: 1, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 071682226b20471e8c0d88ed6af4984a44dca9a95185c1a9fa286133cbe3ec77
Instruction ID: 3fbd89fb497dae80f2f269fbcd92e7ba9134ec655fa50bbebda578826c45ff3e
Opcode Fuzzy Hash: 071682226b20471e8c0d88ed6af4984a44dca9a95185c1a9fa286133cbe3ec77
Instruction Fuzzy Hash: E7F1E3B1D045589FF7248A24DC45BEBBB79EF94310F0481FAD80EA6280E6795FC68F52

Function 0092CD74 Relevance: 1.7, APIs: 1, Instructions: 428COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ad54c969940ec9d8ea0a7649e49e5e2c6d8be863fbd3def2c289cbdaa601283c
Instruction ID: d457e1c874ed81e5899ea83f8b2686448c7fadd950f6503a4fdf9167d26d8743
Opcode Fuzzy Hash: ad54c969940ec9d8ea0a7649e49e5e2c6d8be863fbd3def2c289cbdaa601283c
Instruction Fuzzy Hash: 0AF1F2B1D052689BE7208B24DC41BEAB7B5EF85310F1480FAE44DA7645E6385FC6CF52

Function 00933D80 Relevance: 1.7, APIs: 1, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cb4a11e0cf6f2b412f1f0f38cba33cf02f8c6e71f239aeeb87e8f00ccc1120b8
Instruction ID: b15ce64301bfc12fc0b6f6abfa2df10040bc3f8d33d4e0fdba8ab5fd250fa877
Opcode Fuzzy Hash: cb4a11e0cf6f2b412f1f0f38cba33cf02f8c6e71f239aeeb87e8f00ccc1120b8
Instruction Fuzzy Hash: 1EF1F3B1D045589BF7248A14DC45BEBBB79EF94310F1480FAD80EA6280E6795FC68F52

Function 0093407E Relevance: 1.7, APIs: 1, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 16f6fb687bc914980df2e4226cd21a4a0ae253a70127c48ac0865eb57b8ad609
Instruction ID: f1c758d9c651a1d1212a3198f62760c2a94bce486a3fbd051857a2d66d5b5174
Opcode Fuzzy Hash: 16f6fb687bc914980df2e4226cd21a4a0ae253a70127c48ac0865eb57b8ad609
Instruction Fuzzy Hash: 31F103B1D045589BF7248A24DC45BEBBB79EF94310F0481FAD80E66380E6396FC68F52

Function 0041425D Relevance: 1.7, APIs: 1, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef8c1668dea65dddc22df6dcf046ea42bb2230d9cefcaf97b6207085495547d
Instruction ID: 55609a824f60cee9716f1d17ae3aa197f78d86d512fe8d947a7185235d935f02
Opcode Fuzzy Hash: aef8c1668dea65dddc22df6dcf046ea42bb2230d9cefcaf97b6207085495547d
Instruction Fuzzy Hash: BD61C272D046288FD724CB29CD80AEABBB5EF88304F1481EAD40DA7294D6785BC5CE56

Function 0090ADCA Relevance: 1.7, APIs: 1, Instructions: 170COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,00001000,00000040,?), ref: 0090B3C8

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 43670d47c1e9dd491f6372380848afd5ade688905aefd68faa0b148dd1691b21
Instruction ID: ca6a6c634732d96b04b699fdfb696f1901abe7e90877152937b13a6883b53fd1
Opcode Fuzzy Hash: 43670d47c1e9dd491f6372380848afd5ade688905aefd68faa0b148dd1691b21
Instruction Fuzzy Hash: F151F6F2D152249FE7288A24DD51BF77B78EB80310F1441FEDA0E666C1D63D5EC18A92

Function 009335E9 Relevance: 1.7, APIs: 1, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1b8f3c473c5db2475b4ee3a1381978e2df7d54440b434cc5529c08ee324efaa6
Instruction ID: fb15718a681c96ceeec10873a8a43636319639717e12d80dd61660e028c606d7
Opcode Fuzzy Hash: 1b8f3c473c5db2475b4ee3a1381978e2df7d54440b434cc5529c08ee324efaa6
Instruction Fuzzy Hash: 89F1F5B1C046689BF7248B25DC45BEBB7B5EF94310F0481FAD80EA6280E6795FC68F51

Function 0092D173 Relevance: 1.7, APIs: 1, Instructions: 417COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 018e33128fe7920b94d2d3a51bc8969b7ba01c739b6e1842258d680c394b0094
Instruction ID: 4c3cfa8df6dc23f06045230222ef02c7bdc4d15507de090a8bf965ebefd08f72
Opcode Fuzzy Hash: 018e33128fe7920b94d2d3a51bc8969b7ba01c739b6e1842258d680c394b0094
Instruction Fuzzy Hash: 0302ADB1D092688BEB25CB28DC41AEAB7B5EF89300F1480EAD44DA7355D6345FC6CF52

Function 0092D6FF Relevance: 1.7, APIs: 1, Instructions: 417COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 62609fd74ac5d35a35f40aaad26328c58fdb3c8cdfdf4112696467d40b72c20b
Instruction ID: bb27efb9cf2e0cb3318d79c918f756db726f548ac0324918cc382e3343a67998
Opcode Fuzzy Hash: 62609fd74ac5d35a35f40aaad26328c58fdb3c8cdfdf4112696467d40b72c20b
Instruction Fuzzy Hash: 77F1F1B1D051689BEB208B24DC81BEAB7B9EF85310F1480FAD44DA7245E6385FC6CF52

Function 0092DDC7 Relevance: 1.7, APIs: 1, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a342dcd9ca99331cde2bf6bdc0b9118a3b603ad6781b044250909ef620a742f4
Instruction ID: 313ef4fdff27e10d88099cefd85410ef89c427ae1b7b4d241053f5f73a09cdd3
Opcode Fuzzy Hash: a342dcd9ca99331cde2bf6bdc0b9118a3b603ad6781b044250909ef620a742f4
Instruction Fuzzy Hash: 8BF1E4B1D052689BEB208B24EC817EAB7B5EF85310F1480FAD44DA7245E6395FC6CF52

Function 0092D129 Relevance: 1.7, APIs: 1, Instructions: 401COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: cdd4a6e1b8533941806f2e04b5779ef442f4716b0ecb1f71877b40e050b1a6c5
Instruction ID: 8bfab02ca2eb0ac71d4b3d4894d3acb61589bbec4e22a5b2702829672229af21
Opcode Fuzzy Hash: cdd4a6e1b8533941806f2e04b5779ef442f4716b0ecb1f71877b40e050b1a6c5
Instruction Fuzzy Hash: 72F102B1D052689BEB208B24DC41BEAB7B9EF85300F0481FAD44DA7641E6395FC6CF52

Function 0093365A Relevance: 1.7, APIs: 1, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 632a58d4b9440c19b0648dac9262503628e974a7fdff4f71b36e79fe224860d9
Instruction ID: dfc032172b0fb8e25e7fbd31cea0e88670c2e9ba738fc3d5eb9b738cdebca888
Opcode Fuzzy Hash: 632a58d4b9440c19b0648dac9262503628e974a7fdff4f71b36e79fe224860d9
Instruction Fuzzy Hash: E3E103B1C046589BF7248B25DC45BEBBB79EF94310F0481FAD80EA6280E6795FC68F51

Function 009337A1 Relevance: 1.6, APIs: 1, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e4f7083b0cf60427be9de7d4e641d34711a53cb34708e79f42ae3befa3e6214a
Instruction ID: 09f98581383dc1c6dbb9cba1c3d4040147b0f15f29d3edba9d8b3caf925d2c97
Opcode Fuzzy Hash: e4f7083b0cf60427be9de7d4e641d34711a53cb34708e79f42ae3befa3e6214a
Instruction Fuzzy Hash: 4FE1F4B1D046689BF7248A25DC45BEBBB75EF84310F0580FAD80EA7280E6795FC58F51

Function 0093367E Relevance: 1.6, APIs: 1, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 00c5003582102c3bd5141b44f6a213753ee386f8f9e602b80c811ecdf18253b4
Instruction ID: c6e9c8bde0b33d4c7472fd848bd7783c4c275eddfe6d9608dcca4e14715de950
Opcode Fuzzy Hash: 00c5003582102c3bd5141b44f6a213753ee386f8f9e602b80c811ecdf18253b4
Instruction Fuzzy Hash: 9AE1F2B1D046589BF7248B24DC45BEABBB9EF94310F0481FAD80EA6280E6795FC58F51

Function 0092DCD2 Relevance: 1.6, APIs: 1, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c2d6c649e2e1baa43f699cb28eb06fda6a7e526f639a740b19787b5d361588bf
Instruction ID: c4e81914a28b8b74df96a7c95b0aaace8179d460002509a6c75655416fc6b70b
Opcode Fuzzy Hash: c2d6c649e2e1baa43f699cb28eb06fda6a7e526f639a740b19787b5d361588bf
Instruction Fuzzy Hash: 7EF1D2B1D152689BEB208B24DC81BEAB7B5EF85310F1480FAD44DA7241E6395FC6CF52

Function 0092DA71 Relevance: 1.6, APIs: 1, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f8daa251e5a91ae86092a3ceea3e50c7f022f86ad420f0dace9615d31f70abb5
Instruction ID: ef9090cfdf093ec2173e260b51239af36d6b5be2d45652e365e193ecfe14a399
Opcode Fuzzy Hash: f8daa251e5a91ae86092a3ceea3e50c7f022f86ad420f0dace9615d31f70abb5
Instruction Fuzzy Hash: 80E1F6B1D051689BEB218B24DC81BEAB7B5EF85310F1480FAE44DA7245D6389FC6CF52

Function 009341AB Relevance: 1.6, APIs: 1, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3f2d03fa5596b8ccd7b38283cab3cdf986f90f72586131ed3da5e7afabc67a61
Instruction ID: 4af10f5e1a2c0ee82c973ed3f34b38fa504ca01b3035404b5c90dcb7fe8652ca
Opcode Fuzzy Hash: 3f2d03fa5596b8ccd7b38283cab3cdf986f90f72586131ed3da5e7afabc67a61
Instruction Fuzzy Hash: 09E1E4B1D045589BE7248B24DC45BEBBB79EF94310F0481FAD80EA7280E6795FC68F52

Function 00933BA3 Relevance: 1.6, APIs: 1, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5f5917e9f8cf0eb32351dd55a2fbac56960e89d2a089e523a6d88763b2f2355e
Instruction ID: 8b9498b894bc57f4cb5a0805876438e969980307656ea6296fb968eb2592402e
Opcode Fuzzy Hash: 5f5917e9f8cf0eb32351dd55a2fbac56960e89d2a089e523a6d88763b2f2355e
Instruction Fuzzy Hash: 3AE103B1D046589BF7248B24DC45BEBBB79EF94310F0481FAD80EA6280E6795FC68F51

Function 0092DA7B Relevance: 1.6, APIs: 1, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0cff8df51398586e2d3b212884640f1c0b977d19f6b7d56f4dfe69613170a4ba
Instruction ID: 9d2d7b501ab6db62f5474df3817d4109d317ff701c08fad3af006ee7de772751
Opcode Fuzzy Hash: 0cff8df51398586e2d3b212884640f1c0b977d19f6b7d56f4dfe69613170a4ba
Instruction Fuzzy Hash: 72E1F6B1D052689BEB21CB24DC41BEABBB5EF85310F1480FAD44DA7245D6389EC6CF52

Function 0093369D Relevance: 1.6, APIs: 1, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 42481a7647596beb3b0faba8fa8eebc07ebb51e947738921e8d309b03c0a9e89
Instruction ID: eb758a9a99184ca3546e0ad97c762271f6339bbbe06e729a2c229462551f2538
Opcode Fuzzy Hash: 42481a7647596beb3b0faba8fa8eebc07ebb51e947738921e8d309b03c0a9e89
Instruction Fuzzy Hash: DAE1F3B1D046589BF7248B24DC45BEBBB79EF94310F0481FAD80EA6280E6795FC58F52

Function 0093376C Relevance: 1.6, APIs: 1, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b5f9d08b2c31b73fd452273a6ab4e71c5e86bd892ed1c4fa35dd4a20199bb1b0
Instruction ID: ca7f3377493256373791137e41fdae3399cd8638ca116d3dfc8f3c01e674bee0
Opcode Fuzzy Hash: b5f9d08b2c31b73fd452273a6ab4e71c5e86bd892ed1c4fa35dd4a20199bb1b0
Instruction Fuzzy Hash: 1AE1E2B1D046589BF7248B15DC45BEBBB79EF94310F0480FAD80EA6280E6795FC68F52

Function 0092D7D4 Relevance: 1.6, APIs: 1, Instructions: 374COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 237e44f665a9287c54dcc2fdf553b3516bc83ba852807aa9203f33f13300e365
Instruction ID: bbb19248258d816fe9e6cd902793e92422680380b94f2398aa206649b64324c1
Opcode Fuzzy Hash: 237e44f665a9287c54dcc2fdf553b3516bc83ba852807aa9203f33f13300e365
Instruction Fuzzy Hash: 1AE19EB1D051688BEB21CB24DC81BEAB7BAEF85304F1480EAD44DA7255D6385FC6CF12

Function 009341F2 Relevance: 1.6, APIs: 1, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8dab075495088b8315e27cdb03deece55d2ac3725a956baeed2078138db4cd1e
Instruction ID: f16e0965aafc163c66714175089c44f4bc66c948915224f3b2c52c005bc8ce23
Opcode Fuzzy Hash: 8dab075495088b8315e27cdb03deece55d2ac3725a956baeed2078138db4cd1e
Instruction Fuzzy Hash: 5DD1E5B1D046589BF7248B14DC45BEBBB79EF94310F0481FAD80EA6380E6795EC68F52

Function 00933BD9 Relevance: 1.6, APIs: 1, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ca7d1aa2981cc0b410d31164be2f8430bf366a1ae2b28902d67bad02af66df6d
Instruction ID: edfd8629cc4303a7b11aafc91cb220ec729e20697686e296130920f6ecca9c40
Opcode Fuzzy Hash: ca7d1aa2981cc0b410d31164be2f8430bf366a1ae2b28902d67bad02af66df6d
Instruction Fuzzy Hash: E2E1E2B1D046589BF7248B14DC45BEBBBB9EF94310F0480FAD80EA6280E6795FC68F51

Function 009336F4 Relevance: 1.6, APIs: 1, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 71e58f27764a3f980edc568aae15c1ff5ca118dbe02431360154ad41c845e861
Instruction ID: fd22c3dac99a4446288314a9190eaa9acd3b63fe2b5b3357d6d1ef67796314e1
Opcode Fuzzy Hash: 71e58f27764a3f980edc568aae15c1ff5ca118dbe02431360154ad41c845e861
Instruction Fuzzy Hash: 7CE1E2B1D046589BF7248B24DC45BEBBB79EF94310F0480FAD80EA6280E6795FC68F51

Function 0092D40E Relevance: 1.6, APIs: 1, Instructions: 368COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 07eed11d892d216fe0f2b3e1e5958be9523ec0f1793a66c3d9cc5e5e93aa94c4
Instruction ID: 3e1ac08e5717390c87e76ef791dbc9ec6027af65f02d3f4b233cc4f73d4dd201
Opcode Fuzzy Hash: 07eed11d892d216fe0f2b3e1e5958be9523ec0f1793a66c3d9cc5e5e93aa94c4
Instruction Fuzzy Hash: 12E105B1E052689BE7208B28DC41BEAB7B9EF85310F1480FAD44DA7255D6385FC6CF52

Function 0092D333 Relevance: 1.6, APIs: 1, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 651467fb5282a52cc7f40f43e9e9d53f021e0dc2d4ccdd7ece0196be77c287cb
Instruction ID: 7e52ef16451576504827a850911c8b31eb9f7266a5339b22320b4c2fc6e87ebb
Opcode Fuzzy Hash: 651467fb5282a52cc7f40f43e9e9d53f021e0dc2d4ccdd7ece0196be77c287cb
Instruction Fuzzy Hash: 09E1D1B1D092688BEB218B28DC417EAB7B5EF89310F1480FAD44DA7255E6345FC6CF52

Function 0092D30C Relevance: 1.6, APIs: 1, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c3d6d33e301f75d303773e2c299509da0a2fdfaacfbfabb127c7825e5c2aa1
Instruction ID: a309ed4473b6989a87e48c6f5ed2f9bb4eafabdcaab6d4e1bb7016c50cd70b47
Opcode Fuzzy Hash: 74c3d6d33e301f75d303773e2c299509da0a2fdfaacfbfabb127c7825e5c2aa1
Instruction Fuzzy Hash: F6E1C0B1D092688BEB218B28DC417EAB7B5EF89310F1480FAD44DA7255E6345FC6CF52

Function 0092DAD7 Relevance: 1.6, APIs: 1, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e4f0a44b911d762e28ee48c1331face9881dd428f41a60311b09f8ca665f375e
Instruction ID: 746da133dc35d2e7b86e521087cbb8c9d752ce8c9ce0781671989ecc7fd6ab3f
Opcode Fuzzy Hash: e4f0a44b911d762e28ee48c1331face9881dd428f41a60311b09f8ca665f375e
Instruction Fuzzy Hash: 26E1E4B1D052689BEB21CB24DC81BEAB7B5EF85310F1480FAD44DA7251D6389EC6CF52

Function 00933C2A Relevance: 1.6, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3a525df4bb406f93ab7209377e518178948875b0e0397cc8d2db14aded1d74af
Instruction ID: 121bfa65cce946ed82415dedaaf6366e38906f021a030376865b1c3505f9cc51
Opcode Fuzzy Hash: 3a525df4bb406f93ab7209377e518178948875b0e0397cc8d2db14aded1d74af
Instruction Fuzzy Hash: 83D1D2B1D046589BF7248B24DC45BEBBB75EF94310F0481FAD80EA6280E6795FC68F51

Function 00934372 Relevance: 1.6, APIs: 1, Instructions: 356memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,39335C83,00003000,00000004), ref: 009347C6

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bebd921562a826303b43a9fad6362f24c997b2019e8907db8fac0e09e8c1d6e1
Instruction ID: e93da697e2788dd4b7210ef37ca83f5e7fd36e731196143bcbf395252eee7270
Opcode Fuzzy Hash: bebd921562a826303b43a9fad6362f24c997b2019e8907db8fac0e09e8c1d6e1
Instruction Fuzzy Hash: 84D1C2B1D046589BE7248A14DC45BEBBB79EF94310F0481FAD80EA6380E6795FC68F51

Function 00934739 Relevance: 1.6, APIs: 1, Instructions: 351memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,39335C83,00003000,00000004), ref: 009347C6

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0239896bc62e41120d7cd9cbfe0b443268d1208fe438dae7df26f8b290800989
Instruction ID: c9846bc27b38fb59494a5cc1f45acbb6ae65e7449c31540e1a1babd03e3d19b7
Opcode Fuzzy Hash: 0239896bc62e41120d7cd9cbfe0b443268d1208fe438dae7df26f8b290800989
Instruction Fuzzy Hash: 9FD1D2B1D046589BE7248B14DC45BEBBBB5EF94310F0481FAD80EA6380E6796FC68F51

Function 0092DE07 Relevance: 1.6, APIs: 1, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8e4e53fada7c956d3d9e97cdcf6162446305fc0bea3d24ac5d20df0c9839807
Instruction ID: a0e848aa93ab8d966ccfbe0cc2d44dbf840fe799ab218cbbea2823c1355852f7
Opcode Fuzzy Hash: e8e4e53fada7c956d3d9e97cdcf6162446305fc0bea3d24ac5d20df0c9839807
Instruction Fuzzy Hash: 27D1E2B1D052689BEB21CB24DC81BEAB7B5EF85310F1480FAD44DA7245E6385EC6CF52

Function 0092DE02 Relevance: 1.6, APIs: 1, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0382e3579c041baf1e75902b87e20b3b2890330330aa6ba2f862bfa4f503b8
Instruction ID: 8f287f0fa2e6518ef27ad742917f6a4a71b8d806d7f00dab0d6a070f71cab79f
Opcode Fuzzy Hash: 9a0382e3579c041baf1e75902b87e20b3b2890330330aa6ba2f862bfa4f503b8
Instruction Fuzzy Hash: 0AD1D1B1D052689BEB208B24DC81BEAB7B5EF85310F1480FAD44DA7245E6385FC6CF52

Function 00934308 Relevance: 1.6, APIs: 1, Instructions: 340memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,39335C83,00003000,00000004), ref: 009347C6

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 44b17ac716bf454d5d1b14b4393ccfe5a47494c20ea658975a08a7d9088b8195
Instruction ID: 01c54c74ae3c63ff1d3afb2a2cffc2c817f2619b1404552f77960b43ed8a5121
Opcode Fuzzy Hash: 44b17ac716bf454d5d1b14b4393ccfe5a47494c20ea658975a08a7d9088b8195
Instruction Fuzzy Hash: 0DD1C2B1D046589BF7248A24DC45BEBBB79EF94310F0481FAD80EA6380E6795FC68F51

Function 0093476E Relevance: 1.6, APIs: 1, Instructions: 338memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,39335C83,00003000,00000004), ref: 009347C6

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bf710138b889c27f14ddb7c87f2f15c26157582b878d2f81cb89e3b4f02d27d8
Instruction ID: 665f2d0b6c9d6782d15c5f5a3c325dd18c122f8f1c548bc90cad9ff301ac1622
Opcode Fuzzy Hash: bf710138b889c27f14ddb7c87f2f15c26157582b878d2f81cb89e3b4f02d27d8
Instruction Fuzzy Hash: FDD1C1B1D046589BE7248B14DC45BEBBB79EF94310F0481FAD80EA6380E6795FC68F51

Function 0092D38C Relevance: 1.6, APIs: 1, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6375f69c0f6cadbe31285d290fccbfbce7bd964d03536673a7ad17be4f786e8a
Instruction ID: 4c74633be11b0b8f2081ad908121b9750ff7e9d3327c68bb0c458cc6e98c419e
Opcode Fuzzy Hash: 6375f69c0f6cadbe31285d290fccbfbce7bd964d03536673a7ad17be4f786e8a
Instruction Fuzzy Hash: 1BE1D4B1D052A89BEB218B28DC417EAB7B5EF85310F1480FAD44DA7255E6385FC6CF12

Function 0092DBCC Relevance: 1.6, APIs: 1, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9805fe815e896d360da598072cc2db8a5823c085afccd6f27ca2eea2153ba6dc
Instruction ID: 2e912a5cbe1be1245ad50e6e9578f57b672f933afdb98b5aac19ef0be49282e9
Opcode Fuzzy Hash: 9805fe815e896d360da598072cc2db8a5823c085afccd6f27ca2eea2153ba6dc
Instruction Fuzzy Hash: 78D1C1B1D042689BEB218B24DC81BEAB7B5EF85310F1480FAD44DA7251E6395FC6CF52

Function 0092DB4D Relevance: 1.6, APIs: 1, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0cdf6412d54e4214d8fa388111f78104a6bedac3a2e615b9d77c9faefe24a0a6
Instruction ID: 93446ab649606e227d8044bcff233ae8a384a3e6ca7af9fed5d746154146b25f
Opcode Fuzzy Hash: 0cdf6412d54e4214d8fa388111f78104a6bedac3a2e615b9d77c9faefe24a0a6
Instruction Fuzzy Hash: C0D1C4B1D042689BEB21CB24DC817EAB7B5EF85310F1480FAD44DA7251E6399EC6CF52

Function 009342A4 Relevance: 1.6, APIs: 1, Instructions: 327memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,39335C83,00003000,00000004), ref: 009347C6

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 94d403468b8ad9dad55bdd87402976de041919405bb102ecb9b85d0a5c869a21
Instruction ID: 28118064654322da9b47b63ec87e3728dfb9ab32f322bfbdc6be35a0fd5c319d
Opcode Fuzzy Hash: 94d403468b8ad9dad55bdd87402976de041919405bb102ecb9b85d0a5c869a21
Instruction Fuzzy Hash: 1DC1C1B1D046589BE7248B24DC45BEBBB75EF94310F0481FAD80EA6380E6795FC68F51

Function 0093341D Relevance: 1.6, APIs: 1, Instructions: 326memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,39335C83,00003000,00000004), ref: 009347C6

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1edae8b4b8e0c4ec0422b3d18eca2b9b5342438d9f727a2010cdc2954dc62dbf
Instruction ID: c222c30051e656151391e49b9cbc5b468b2471e01a7a6ffce6a0b4501b1d4d9e
Opcode Fuzzy Hash: 1edae8b4b8e0c4ec0422b3d18eca2b9b5342438d9f727a2010cdc2954dc62dbf
Instruction Fuzzy Hash: 81C1C0B1D046589BF7248B24DC45BEBBB79EF94310F0481FAD80EA6280E6795FC68F51

Function 0092D8AE Relevance: 1.6, APIs: 1, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: df01d5d106556094c180bb87b6299109c6e411b25f81c4935701fe07c72c2f0c
Instruction ID: 69ace62c7db26e4d1b8538e141ed95bcaa31a46d0014318a5c5b6c369b4ab650
Opcode Fuzzy Hash: df01d5d106556094c180bb87b6299109c6e411b25f81c4935701fe07c72c2f0c
Instruction Fuzzy Hash: 29D1D0B1D051688BEB21CB28DC81AEAB7B9EF85310F1481FAD44DA7251D6385FC6CF12

Function 0092D456 Relevance: 1.6, APIs: 1, Instructions: 321COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c7a38b4acfb1b885bfdff268aea664d71b493676cb20487b82e645c997c3a0b7
Instruction ID: 424aedeffe761a2bfe8786e265b40123d5a3bc6f7cb6f67d028e2b6a08c85243
Opcode Fuzzy Hash: c7a38b4acfb1b885bfdff268aea664d71b493676cb20487b82e645c997c3a0b7
Instruction Fuzzy Hash: 8FD1D3B1D092A89BEB218B28DC417EAB7B5EF85300F1480FAD44DA7255D6385FC6CF12

Function 0092DE76 Relevance: 1.6, APIs: 1, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e27ce3371ade90565ce916bf504824a82134472b849b75bfb1034f88a35db6fb
Instruction ID: 7e6b8e52cf9840ab28c6831a9eafc49c7b91cbf11c6f703953106299f9ec4b4a
Opcode Fuzzy Hash: e27ce3371ade90565ce916bf504824a82134472b849b75bfb1034f88a35db6fb
Instruction Fuzzy Hash: 47D1D1B1D042689BEB21CB24DC81AEAB7B5EF85310F1480FAD44DA7251E6359EC6CF52

Function 0092DB66 Relevance: 1.6, APIs: 1, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 29be6b8c867bc56436faea252415b6071dd9d5c8106e24ca3e55df0603a52e3a
Instruction ID: 374aa566374a2fd1e820a4f3d6b456d2e610ebb003c904439e068971cb5ed7ce
Opcode Fuzzy Hash: 29be6b8c867bc56436faea252415b6071dd9d5c8106e24ca3e55df0603a52e3a
Instruction Fuzzy Hash: 2DD1C1B1D042689BEB218B24DC817EAB7B5EF85310F1480FAD44DA7251E6399FC6CF52

Function 0090C521 Relevance: 1.6, APIs: 1, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8946b2539b27f53a1cf125141da3ed118524740d144cee17eafa8fcc04a1bceb
Instruction ID: 614cbcafc29ac2c7a8628ce856d2249237b24c19bc1a1efe736ac4a741ac366b
Opcode Fuzzy Hash: 8946b2539b27f53a1cf125141da3ed118524740d144cee17eafa8fcc04a1bceb
Instruction Fuzzy Hash: D8B127F3D146245FF7148A24DC59BE77768EB80310F1542BEE90E626C0D67D6FC18A92

Function 0092DF2D Relevance: 1.6, APIs: 1, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: df66a821b05f4b7c6b5dfc8838d9df69658f913b5a7ed26184cf2fc81de8c0f4
Instruction ID: 205b5e6ec288b43adce7e737b9a2111051306cab766cd2a9bb381e366535fab3
Opcode Fuzzy Hash: df66a821b05f4b7c6b5dfc8838d9df69658f913b5a7ed26184cf2fc81de8c0f4
Instruction Fuzzy Hash: A4C1CFB1D042689BEB21CB24DC816EAB7B5EF85310F1480FAD44DA7251E6389EC6CF52

Function 0092D921 Relevance: 1.6, APIs: 1, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6524fc4bf208f42cd4637affa885d12da86c412202bd417c8e2a36f3981b3055
Instruction ID: 120180b020c765fc7cc01273dd0a05b76e5d81efcc41a799a9a535c15b3e3b32
Opcode Fuzzy Hash: 6524fc4bf208f42cd4637affa885d12da86c412202bd417c8e2a36f3981b3055
Instruction Fuzzy Hash: FAC1C1B1D042689BEB218B28DC417EAB7B9EF85300F1480FAE44DA7255D6385FC6CF52

Function 0092D586 Relevance: 1.5, APIs: 1, Instructions: 295COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 56c8d68be07dd5788406c347328ba721fd60bacd34e897f8b6606a02a1661f2e
Instruction ID: 4a6aeda9d620d1cd61f9a36c97a2f2aa0fcdb32a1ca15cbc46810b691cf30dff
Opcode Fuzzy Hash: 56c8d68be07dd5788406c347328ba721fd60bacd34e897f8b6606a02a1661f2e
Instruction Fuzzy Hash: 34C1D2B1D042A89BEB21CB28DC416EAB7B5EF85300F1480FAD44DA7255E6385FC6CF12

Function 0092CE03 Relevance: 1.5, APIs: 1, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e0fc851b8ece82499fef03ab6016128b5ba0b2e631db8000bec33735c4b92a25
Instruction ID: a039fd31ee18275ae7cd41d6ff1e40d8435d287c25749b2c5473db21faecb2ed
Opcode Fuzzy Hash: e0fc851b8ece82499fef03ab6016128b5ba0b2e631db8000bec33735c4b92a25
Instruction Fuzzy Hash: 89C1DFB1D042688BEB218B24DC81BEAB7B5EF85310F1480FAD44DA7245E6395FC6CF52

Function 0092D50C Relevance: 1.5, APIs: 1, Instructions: 289COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 48530621e337c3bc95c9742e65efd2931dca66ee0a45ef8abf044a7ccf887c04
Instruction ID: 0d27c4aaab23515210eaed4e4a29605f78a00b936132cb47db13c15c2b56fa5e
Opcode Fuzzy Hash: 48530621e337c3bc95c9742e65efd2931dca66ee0a45ef8abf044a7ccf887c04
Instruction Fuzzy Hash: A1C1C2B1D042689BEB21CB28DC416EABBB5EF85310F1480FAD44DA7255D6385FC6CF52

Function 0092D513 Relevance: 1.5, APIs: 1, Instructions: 287COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c639c2e9671f76f2cea39f651a55cad2985b24a0e8426f451829d2145220683c
Instruction ID: f2e26e411e70b683345b0a75ae135288692e3f4825ffe059e68d57cef7ad772d
Opcode Fuzzy Hash: c639c2e9671f76f2cea39f651a55cad2985b24a0e8426f451829d2145220683c
Instruction Fuzzy Hash: E6C1B1B1D042689BEB21CB28DC416EAB7B5EF85300F1480FAD44DA7655D6385FC6CF52

Function 0092D96C Relevance: 1.5, APIs: 1, Instructions: 285COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 417c221c039cba8a70c980f34202d5965cb8327d2cc595b091b6a2b0553acd7a
Instruction ID: d5c0261a08b220fab25417fb70710a0c3213c0abae8eaa6615f73d2c4ec1014a
Opcode Fuzzy Hash: 417c221c039cba8a70c980f34202d5965cb8327d2cc595b091b6a2b0553acd7a
Instruction Fuzzy Hash: 63C1A0B1D042689BEB21CB28DC416EAB7B5EF89310F1480FAD44DA7255E6395FC6CF12

Function 0092E05B Relevance: 1.5, APIs: 1, Instructions: 278COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c3465f3d71e806301fa3f7ffb86aad1d29bf72c56369853b1ad61710e2431eeb
Instruction ID: df501c10d635e8dc3141c6ececbf0a09ac2c060f0da022ed57e65820b2bc47dd
Opcode Fuzzy Hash: c3465f3d71e806301fa3f7ffb86aad1d29bf72c56369853b1ad61710e2431eeb
Instruction Fuzzy Hash: CCC1B0B1D042689BEB21CB28DC816EAB7B5EF85310F1480FAD44DA7251E6395FC6CF52

Function 0092CDAD Relevance: 1.5, APIs: 1, Instructions: 267COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9f9f02aee59f7943ccd171892d063a1b6b4d04803551356c427d495a96b67d8f
Instruction ID: b92968b5be61177de0b1200211831dffeda55790e6df7f5fbb9f53647f29423e
Opcode Fuzzy Hash: 9f9f02aee59f7943ccd171892d063a1b6b4d04803551356c427d495a96b67d8f
Instruction Fuzzy Hash: 12B1C1B1D082689BEB218B24DC817EAB7B5EF85300F1480FAD44DA7655E6395FC6CF12

Function 0092D0BE Relevance: 1.5, APIs: 1, Instructions: 264COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a3c68ba5a0ae4b3f9ede6ce816736ec0b82a7bf61cda62af62c2f489b9d9c8b9
Instruction ID: 935434096ba4d62ba469034e5d8cc68d66f5c4ea752ea523fc9c6a9215c3e34a
Opcode Fuzzy Hash: a3c68ba5a0ae4b3f9ede6ce816736ec0b82a7bf61cda62af62c2f489b9d9c8b9
Instruction Fuzzy Hash: DDB1C1B1D052689BEB218B28DC817EAB7B5EF85300F1480FAD44DA7255E6395FC6CF12

Function 0092CE53 Relevance: 1.5, APIs: 1, Instructions: 260COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a2c9d2bfe0c50d5c10bfb20442ecdb689ee5930378d7364bd96a25402b470ee9
Instruction ID: c7b55734e6b429011864a5f6efb1e13d2a13bb2cbbc8e5d70144b3e2a743a9ab
Opcode Fuzzy Hash: a2c9d2bfe0c50d5c10bfb20442ecdb689ee5930378d7364bd96a25402b470ee9
Instruction Fuzzy Hash: EAB1B1B1D042689BEB218B24DC417EAB7B5EF85310F1480FAD44DA7255E6395FC6CF12

Function 0092E4F3 Relevance: 1.5, APIs: 1, Instructions: 257COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: cb31a84abb640be04d62deb8061670e7ab0268140fa3efd4ffbad041c17b6da3
Instruction ID: 5bf3fcd9d13f19252e2fe1e337166c3e15d7e55d710abd582675345d10a65f14
Opcode Fuzzy Hash: cb31a84abb640be04d62deb8061670e7ab0268140fa3efd4ffbad041c17b6da3
Instruction Fuzzy Hash: 60B1BFB1D042689BEB21CB28DC816EAB7B5EF95300F1480FAE44DA7251E6355FC6CF12

Function 0092E131 Relevance: 1.5, APIs: 1, Instructions: 253COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9ed5337de668e76555b6d822bd6acee58fa74b02fb10ff32de9dd520817a5475
Instruction ID: 9dde4b69f558d91ae12d5af8f21b3d521d88c8d4bcb4c54448c9cda7ee094b83
Opcode Fuzzy Hash: 9ed5337de668e76555b6d822bd6acee58fa74b02fb10ff32de9dd520817a5475
Instruction Fuzzy Hash: A9B1AFB5D182688BEB218B28DC816EAB7B5EF85300F1480FAD44DA7251E6355FC6CF52

Function 0092D1AB Relevance: 1.5, APIs: 1, Instructions: 245COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ee8bcabaf6cf8e0c50a572676a6a49afd8705cc3655e00f9b3bedd3338c817d2
Instruction ID: 5a41e83c0bedf8e6d892f2a6901989d55ea13818cb7d9c24e8643f3d1306ec4a
Opcode Fuzzy Hash: ee8bcabaf6cf8e0c50a572676a6a49afd8705cc3655e00f9b3bedd3338c817d2
Instruction Fuzzy Hash: A0A1A0B1D042A88BEB21CB28DC417EAB7B5EF89300F1480EAD44DA7255E6355FC6CF12

Function 0092E150 Relevance: 1.5, APIs: 1, Instructions: 245COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 493e42f7a3e062a671232b6eecc6bbd0d33d34aa4ad799f1b5d8bf55b8fc890e
Instruction ID: 11e350774c19bbf98ab8f09354a04048412cc2640de4bfa90c158ae90d5452d8
Opcode Fuzzy Hash: 493e42f7a3e062a671232b6eecc6bbd0d33d34aa4ad799f1b5d8bf55b8fc890e
Instruction Fuzzy Hash: F3B191B5D042A88BEB21CF24DC416EAB7B5EF89300F1480EAD44DA7251E6355FC6CF12

Function 0092D1B4 Relevance: 1.5, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d7aca3b492e8fda41cdb94869fe373e110c29d01aeb374921c02df84d986ff5e
Instruction ID: b791541e8eaea9c70af09ae2767f184314153439e9f043a9c33c64f0fb3e53d5
Opcode Fuzzy Hash: d7aca3b492e8fda41cdb94869fe373e110c29d01aeb374921c02df84d986ff5e
Instruction Fuzzy Hash: CAA19FB5D042A89BEB21CF28DC416EAB7B5EF89300F1480EAD44DA7255E6355FC6CF12

Function 0092E044 Relevance: 1.5, APIs: 1, Instructions: 239COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 41c7d3bd10d69fd64efbf65a09572c0039eed2639ebc93dd04def2b0f59454ce
Instruction ID: bf7ec601865a2c15844b3c4393e72f340a1f09c8bfcfe7a2845f9a0f64145d90
Opcode Fuzzy Hash: 41c7d3bd10d69fd64efbf65a09572c0039eed2639ebc93dd04def2b0f59454ce
Instruction Fuzzy Hash: BAA19EB5D042689BEB21CF28DC816EAB7B5EF89300F1480EAD44DA7251E6355FC6CF12

Function 0092DA34 Relevance: 1.5, APIs: 1, Instructions: 238COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0092E56B

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 91f9873f1f828d18258c2f1c9a67aec2142c3cc22d78f5cb3377d3157bef2be8
Instruction ID: fa5b67bdb8f88b7d6f2f2234d936348c60abf3910b4841cc8e6895b84aac5602
Opcode Fuzzy Hash: 91f9873f1f828d18258c2f1c9a67aec2142c3cc22d78f5cb3377d3157bef2be8
Instruction Fuzzy Hash: 6CA1AFB5D042A88BEB21CB28DC416EAB7B5EF99300F1480EAD44DA7251E6355FC6CF12

Function 0041A1E4 Relevance: 1.4, APIs: 1, Instructions: 193memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0041A765

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c18102a9b549633216f5c74cc17ab2ee03f2400ae3c4efad30dd2fb6268b7355
Instruction ID: f9afdad81f8fdcf05d3c57e3674116885cebb6d07487b47504391e48ceab0545
Opcode Fuzzy Hash: c18102a9b549633216f5c74cc17ab2ee03f2400ae3c4efad30dd2fb6268b7355
Instruction Fuzzy Hash: E75104B2D012259FE7208A14DC98BEB7B79EB94314F1440F7DD4DA7380D6789ED18E92

Function 009243B0 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55f027079e7cb60564dead9fd78a46f336e1de9c2e35134dc6d9648d162ecdf
Instruction ID: af672f1ddbcbca21a66a083a011ada9d808f16edd7cf67b666e278050dca3564
Opcode Fuzzy Hash: e55f027079e7cb60564dead9fd78a46f336e1de9c2e35134dc6d9648d162ecdf
Instruction Fuzzy Hash: 5CE147B2D046649FE720CA24EC94BEB7B78EB82310F1541FAD84E67245D6385EC5CF92

Function 009249D9 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d776b3173f28ee399caa221a489f5f5ab3d8fbc779cfd1bffe9c82644a3ca4
Instruction ID: 27a5f65e7a979b69470fca795de07bf0ede97b903ac247ba86d93cf21b95d44c
Opcode Fuzzy Hash: c3d776b3173f28ee399caa221a489f5f5ab3d8fbc779cfd1bffe9c82644a3ca4
Instruction Fuzzy Hash: 6C9156B2D052249FF7148B24EC45BEB7B78EF81310F1501FAD84E5B285E6386EC0CA92

Function 00924C96 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352f2487a9d62c9517a5208b56053ed359e218441c90e30d5cf73d8cfaf54a99
Instruction ID: 6d5907c18fd99993b4908c18013b9059f2842aba8ff705e4c9f8ccb2fa7a256d
Opcode Fuzzy Hash: 352f2487a9d62c9517a5208b56053ed359e218441c90e30d5cf73d8cfaf54a99
Instruction Fuzzy Hash: CD9155A2D056249FE7148B24EC45BEB7B78EF91310F0501FAD94E5B281E6786EC0CB92

Function 00924B83 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c1b6dd75e3f448bedbbe60c47beef4ef8e6f32f39c858370462287ae324694
Instruction ID: 59c6e5d88634a470f18c84064855b207062eb1d3c79530f86991056e0817b08c
Opcode Fuzzy Hash: 93c1b6dd75e3f448bedbbe60c47beef4ef8e6f32f39c858370462287ae324694
Instruction Fuzzy Hash: 018147A2D085748FE7148B24EC557EB7B74EF91310F0501FAD88E6A286E6385EC1CB92

Function 009249FD Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f2c22fcb8c161386fdd9af565e69adcd0a142fbdbfea471650a6e5ef1fc234
Instruction ID: 52046558d8c0d24a528bbbb3f7fa207788e9bf76f4e305d8472ecbc5c6e6b4eb
Opcode Fuzzy Hash: 38f2c22fcb8c161386fdd9af565e69adcd0a142fbdbfea471650a6e5ef1fc234
Instruction Fuzzy Hash: 197146A2D056649FE7148B24EC45BEA7B74EF91300F0501FAD94E5B281E6786EC0CF92

Function 00924A37 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4594d1129ccd24c4aef7ef681547a68d34dabb95191ed0ba44d4d5a32f0dcbac
Instruction ID: 579dff5af24488d864ab53b47564ed30b1220b357f2a887eaf74f607f5b41145
Opcode Fuzzy Hash: 4594d1129ccd24c4aef7ef681547a68d34dabb95191ed0ba44d4d5a32f0dcbac
Instruction Fuzzy Hash: 1A7168A2D046648FE7149B24EC457EB7B74EF91300F0501FAD94E5B281E6796EC0CB92

Function 0092494C Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17e172ba863579ed008d12eba08a48b321337b4d2d42deeae5d5033ffb2c369b
Instruction ID: a10a35ccddaa9fa7c252b380811c9d920318840d0b7f7b14dbe2e559e8d4c218
Opcode Fuzzy Hash: 17e172ba863579ed008d12eba08a48b321337b4d2d42deeae5d5033ffb2c369b
Instruction Fuzzy Hash: 7A417AB2D045249FF3148660EC95BE77B68EF42310F1442FED94E9A2C1E6786EC5CA93

Function 0092496A Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f87dac4123fe516796939c386e0ab43032901f91499b0ef24b7da3bb22314316
Instruction ID: 1da655831cfdd130df01c16998e03c9d6daf5d788cf0f9073c478780303734f5
Opcode Fuzzy Hash: f87dac4123fe516796939c386e0ab43032901f91499b0ef24b7da3bb22314316
Instruction Fuzzy Hash: 824168B2D046649FF3109660EC55BE77B68EF42310F0542FAD88EA61C1D6786EC5CE92

Function 00908F82 Relevance: 29.9, APIs: 1, Strings: 16, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x, xrefs: 009094BB
r, xrefs: 0090948A
l, xrefs: 0090947C
t, xrefs: 009094AD
i, xrefs: 00909459
u, xrefs: 0090946E
c, xrefs: 009094A6
V, xrefs: 00909452
P, xrefs: 00909483
a, xrefs: 00909475
o, xrefs: 00909491
E, xrefs: 009094B4
e, xrefs: 0090949F
t, xrefs: 00909498
r, xrefs: 00909460
t, xrefs: 00909467

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID: E$P$V$a$c$e$i$l$o$r$r$t$t$t$u$x
API String ID: 4275171209-4025948460
Opcode ID: ac64d7f13e9c15808d18cf4858f2769c35e62be556248496d9be5878dbbeedf6
Instruction ID: b03c6ef51bac94a664c58d309e2e6be3053c93c478b8dedac05ec1dde8ccecd3
Opcode Fuzzy Hash: ac64d7f13e9c15808d18cf4858f2769c35e62be556248496d9be5878dbbeedf6
Instruction Fuzzy Hash: 77415261C082E88EEB21C668CC447DABBB4AB15344F0441EAD98D662C2D77D1F85CFA1

Function 00908F91 Relevance: 29.9, APIs: 1, Strings: 16, Instructions: 107
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000002), ref: 009093BF

Strings

x, xrefs: 009094BB
r, xrefs: 0090948A
l, xrefs: 0090947C
t, xrefs: 009094AD
i, xrefs: 00909459
u, xrefs: 0090946E
c, xrefs: 009094A6
V, xrefs: 00909452
P, xrefs: 00909483
a, xrefs: 00909475
o, xrefs: 00909491
E, xrefs: 009094B4
e, xrefs: 0090949F
t, xrefs: 00909498
r, xrefs: 00909460
t, xrefs: 00909467

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID: E$P$V$a$c$e$i$l$o$r$r$t$t$t$u$x
API String ID: 4275171209-4025948460
Opcode ID: abd856786997a5805a1c96da4d39880b379d785c000a8b34db9fc76ae62d07b7
Instruction ID: bc7d6f3b0a1f5b5790e91e72d678df10703eb005afd68414d83d385b19fc2d43
Opcode Fuzzy Hash: abd856786997a5805a1c96da4d39880b379d785c000a8b34db9fc76ae62d07b7
Instruction Fuzzy Hash: A2415161C082E89EEB21C658CC487DABBB4AB15354F0481E6D98D762C2D77D1FC5CFA1

Function 00909354 Relevance: 29.9, APIs: 1, Strings: 16, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000002), ref: 009093BF

Strings

x, xrefs: 009094BB
r, xrefs: 0090948A
l, xrefs: 0090947C
t, xrefs: 009094AD
i, xrefs: 00909459
u, xrefs: 0090946E
c, xrefs: 009094A6
V, xrefs: 00909452
P, xrefs: 00909483
a, xrefs: 00909475
o, xrefs: 00909491
E, xrefs: 009094B4
e, xrefs: 0090949F
t, xrefs: 00909498
r, xrefs: 00909460
t, xrefs: 00909467

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID: E$P$V$a$c$e$i$l$o$r$r$t$t$t$u$x
API String ID: 4275171209-4025948460
Opcode ID: a5409c74580e52627428fb5bbd63772c2a95dbf5b5cd0229b4c51da6d93c0f11
Instruction ID: c13e241ea231f57f1640613e4bb7125566b497fa46500ad4427805ed33aa33b3
Opcode Fuzzy Hash: a5409c74580e52627428fb5bbd63772c2a95dbf5b5cd0229b4c51da6d93c0f11
Instruction Fuzzy Hash: CF416071C082E88EEB20C618CC447DABBB4AB55344F0481EAD98D762C2D77E1EC58FA1

Function 0041B0A6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

KMO?, xrefs: 0041B161
BA7K, xrefs: 0041B0ED

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID: BA7K$KMO?
API String ID: 544645111-982559411
Opcode ID: 99ddc2b67476b2347748145275dc7ec355c2bfc88c4de2235ec212d4dc09f047
Instruction ID: 8d375e5a3e5d64dc31fa456cfe304ae375048e662fcce7c09d6158256a77fdec
Opcode Fuzzy Hash: 99ddc2b67476b2347748145275dc7ec355c2bfc88c4de2235ec212d4dc09f047
Instruction Fuzzy Hash: 5141A9F2D48214AFF7108A25DC84BEB7B29EB91314F1480BBE84C56580D67C4FC28AA7

Function 0041B0BB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

KMO?, xrefs: 0041B161
BA7K, xrefs: 0041B0ED

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID: BA7K$KMO?
API String ID: 544645111-982559411
Opcode ID: b3b61a8ac74895e74504ec25524f4e5a51f69929cc0d455e9b33d0f62f99b9a5
Instruction ID: fe2ee70aaf04f7e3277a0ecce4d31d350e849c2cd53664e07033b2e423a8cb10
Opcode Fuzzy Hash: b3b61a8ac74895e74504ec25524f4e5a51f69929cc0d455e9b33d0f62f99b9a5
Instruction Fuzzy Hash: B6319BF2D44214AFF7108A24DD84BEB7729EB90314F10817BE80D56580D67C0FC28EA7

Function 0041B0D2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

KMO?, xrefs: 0041B161
BA7K, xrefs: 0041B0ED

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID: BA7K$KMO?
API String ID: 544645111-982559411
Opcode ID: 60c0dc815876eb394188417ce6fb4030e392055f8047786d3cdad65afce3ac44
Instruction ID: 518e9351469f8adbaf58ca121205b2dabd89fe75e7849debeaee1ec382721bcb
Opcode Fuzzy Hash: 60c0dc815876eb394188417ce6fb4030e392055f8047786d3cdad65afce3ac44
Instruction Fuzzy Hash: C63146F2D44604AFFB108A24DDC5BEB7765FB90314F2081BBE84D96580C67C4EC28EA6

Function 0041B0DD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

KMO?, xrefs: 0041B161
BA7K, xrefs: 0041B0ED

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID: BA7K$KMO?
API String ID: 544645111-982559411
Opcode ID: 853b9ca04643e4498b8ce249aaff31effd0ee0d80ec036a84c1b7f337f9717a2
Instruction ID: a4299aee007434edc4f1fad4cfc399e56ab5149b6caf1286c9dc6a028abbf0ef
Opcode Fuzzy Hash: 853b9ca04643e4498b8ce249aaff31effd0ee0d80ec036a84c1b7f337f9717a2
Instruction Fuzzy Hash: D7315AF2D44214AFFB108A24DD85BFB7769EB91314F1081BBE84D56580D67C4FC28EA6

Function 008FD036 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 008FD695

Strings

AYVP, xrefs: 008FD03A
jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: AYVP$jjjj
API String ID: 963392458-1055777859
Opcode ID: 57a61e12a04aadf13632ff4f52ad7bc13d0528fbeb1a04166b50b0c9682dfa36
Instruction ID: a72999a2518c322e2fc7bad6b31835efab50b355a780aeee28319e3a5ec991b4
Opcode Fuzzy Hash: 57a61e12a04aadf13632ff4f52ad7bc13d0528fbeb1a04166b50b0c9682dfa36
Instruction Fuzzy Hash: 163148F2D0871C9BF3248920EC85BF77779F380310F2441B9EA0AA6684DA7D5FC18A51

Function 00928AF8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 213registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0092A26A

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: e13cb54327555cebc8225b1d9ab84f1113d8ceb505d83e68055340efedb2236a
Instruction ID: 48907e132284ba4da0e895d68d97b66702144d675898c560e1bb1177acf77d4c
Opcode Fuzzy Hash: e13cb54327555cebc8225b1d9ab84f1113d8ceb505d83e68055340efedb2236a
Instruction Fuzzy Hash: 6D71E3B2C091249BE7248B24EC457FB7778EF14310F1445FAD80D96685EA3D5EC58F52

Function 00935439 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 188fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 009368AD

Strings

R, xrefs: 00935482

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: FileRead
String ID: R
API String ID: 2738559852-1968290334
Opcode ID: 7420c00f8ed87e78f41e9eda3788c77f6466de3fb47cc0b3e30b2d930fa29b42
Instruction ID: bc6c480e5ae8a040bf995454998ee0423a458dd76070a2018b2816b4c0b4b287
Opcode Fuzzy Hash: 7420c00f8ed87e78f41e9eda3788c77f6466de3fb47cc0b3e30b2d930fa29b42
Instruction Fuzzy Hash: D15134F2D0511A9BE7248B24DD44BFB7BBAEFD4310F0581BAE50996240E2394EC08F91

Function 0092902F Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID: Ph?
API String ID: 0-2294233904
Opcode ID: 702e1306a79956221191506d570cff936ffe6e866dbe02b021f55942832614ac
Instruction ID: e124e5ec8c0205c7fdb5108dd6cd4ceed52320e03f59b65a3fe0928a8405c738
Opcode Fuzzy Hash: 702e1306a79956221191506d570cff936ffe6e866dbe02b021f55942832614ac
Instruction Fuzzy Hash: FD51E4B1D145289BFB348B18EC45BEAB7B8FF54310F1442FAD90D62280EA785FC68E40

Function 00929008 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID: Ph?
API String ID: 0-2294233904
Opcode ID: 53a87a705510311d901611027d713b48160e557bd0f5dfe9a1068ceebf4da2af
Instruction ID: bc7a9007480628cad983ab1b9ba242408d286fe138f80baf22f9f62564623545
Opcode Fuzzy Hash: 53a87a705510311d901611027d713b48160e557bd0f5dfe9a1068ceebf4da2af
Instruction Fuzzy Hash: 0651D3B2D545289BFB348B18DC45BEAB7B8FF54310F1442FAD90D62280EA785FC68E51

Function 008FCC7D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 143processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 008FD695

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 0e49e0b74dd3b5c4f80a5c6d521b45afacf2138b859b315511409426c71b6e4a
Instruction ID: f5a2093db8a428e70826003b6e8d4705d943c0519463c1447c8fd4ecfcae38a6
Opcode Fuzzy Hash: 0e49e0b74dd3b5c4f80a5c6d521b45afacf2138b859b315511409426c71b6e4a
Instruction Fuzzy Hash: D541F4B2D4431C9BF3248A24DC85BF77769F784310F2441BAEE0DA6684DA7D5FC18A91

Function 008FCC8F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 139processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 008FD695

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: fc943ff3e22aba6163275a2c5525feb81b2eddd97a8bb28c81ff58a182882f7f
Instruction ID: af4c9915508c77027e8281b4d687b7caa9669c5c6b413c36cf42f25fdf20a9f6
Opcode Fuzzy Hash: fc943ff3e22aba6163275a2c5525feb81b2eddd97a8bb28c81ff58a182882f7f
Instruction Fuzzy Hash: 0041F5B2D4431C9BF3248A24EC85BF77769F784310F2441BAEE0E66684DA7D5FC18A91

Function 00935CF8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 009368AD

Strings

:PDA, xrefs: 00935DC5

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: FileRead
String ID: :PDA
API String ID: 2738559852-1201672814
Opcode ID: 5432a28f903352d3cd205a5f21f45ec29890da8dc9ad520dcd2c50fefd7f0987
Instruction ID: 6d904a6addae68954b70ef1824fd84b7144ef99378f8d210dad2474a715c6ecc
Opcode Fuzzy Hash: 5432a28f903352d3cd205a5f21f45ec29890da8dc9ad520dcd2c50fefd7f0987
Instruction Fuzzy Hash: C84149F3E05514AFF7208A24DC49AE77B78EBC4311F1541FAE50E8A281E27C5AC68E52

Function 008FCC29 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 008FD695

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 2cd33a3824cbd3e42e59681beb5d0caa253d403d42e3c2b12ee9f94a57fbc975
Instruction ID: a37290f424a0b0b4898bd5c70240da52ebb319f06ee663022d33edafb5fe80e4
Opcode Fuzzy Hash: 2cd33a3824cbd3e42e59681beb5d0caa253d403d42e3c2b12ee9f94a57fbc975
Instruction Fuzzy Hash: DA4107F2D4831CABF3244920EC85BFB7669F780314F2441BAEB0AA56C4DA7D5FC58951

Function 008FCF5C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 125processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 008FD695

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: fa67a8eeb3d594c4a33976883dcdc01ab523998dad10d5d6dc3c5ea244ad59b5
Instruction ID: 93aa1d17d19047b5c9393bde88e4d5daaaa3f15c2ca3b0bde03d45646b652a16
Opcode Fuzzy Hash: fa67a8eeb3d594c4a33976883dcdc01ab523998dad10d5d6dc3c5ea244ad59b5
Instruction Fuzzy Hash: B841F7F2D0431CABF3244920EC85BF77669F780314F2441BAEA0AA6684EA7D5FC58951

Function 008FC500 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 008FD695

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 71548ff588c8a25b89e926bde5db5f08b0f2232d596427d4319eb5e190d85d70
Instruction ID: ad27ccbe0ebf5d6894a6903426bb98f833ce5362b8ba8de4c66f637afb5ba0b2
Opcode Fuzzy Hash: 71548ff588c8a25b89e926bde5db5f08b0f2232d596427d4319eb5e190d85d70
Instruction Fuzzy Hash: 053107B2D4532D5BE7208A65DC54BF6B77AFB44310F1480FAEA0DA6680D2BD1FC18E91

Function 009290F7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0092A26A

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 4c31dc82b892778bf38b3542b782e6ce7ba42086a001c0cfe11767495fa72d38
Instruction ID: 1665148933523f6769802c896803ceab70bc67ad574f13d10fe09e9c1579c24f
Opcode Fuzzy Hash: 4c31dc82b892778bf38b3542b782e6ce7ba42086a001c0cfe11767495fa72d38
Instruction Fuzzy Hash: F631E1F3D541259BF7388A18EC8ABFB7768EB50310F1441BAD90A91280E5BC5FC18E51

Function 009291BE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 8ad9bddbd8eae0ce8c66993eb1f206818897a0a6f52c4beeaf4a53591353a7e8
Instruction ID: b2610c0b1a6617aa825d487c863afdfe8507f130c56a8d9503642892cb956bc2
Opcode Fuzzy Hash: 8ad9bddbd8eae0ce8c66993eb1f206818897a0a6f52c4beeaf4a53591353a7e8
Instruction Fuzzy Hash: B53106F3D15124ABF7388A14EC55BFB7368EB94310F1441BAD90E96680E5BD4FC18E51

Function 0092910A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0092A26A

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 490c7e86cc4ab99c72bf810ba5f23c468464c4b7f85be99d9850f39b35cee4ae
Instruction ID: 7287840ef33a1a37bc777b5874f0692c4a44d21eeeaa9fced6114c609bd5497d
Opcode Fuzzy Hash: 490c7e86cc4ab99c72bf810ba5f23c468464c4b7f85be99d9850f39b35cee4ae
Instruction Fuzzy Hash: 4231D0F3D141259BF7348A18EC89BFB77A8EB90310F1441BAD90EA1680E5BC5FC58E11

Function 0041B0F3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

KMO?, xrefs: 0041B161

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID: KMO?
API String ID: 544645111-3566493764
Opcode ID: d02b30af1ebc46168b3cc64ff19230de9e7d2acd7c0577e19570f0e8984fc77a
Instruction ID: a8833e74c5dfe6ae15aa5f7d3f56686113766aa345adcb28aac52213c8f94dbd
Opcode Fuzzy Hash: d02b30af1ebc46168b3cc64ff19230de9e7d2acd7c0577e19570f0e8984fc77a
Instruction Fuzzy Hash: ED3159F2D44214AFFB108A24DD84BEB7769EB90314F2581BBE80C56680D67C0FC28E96

Function 008FC53A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: f2d68a9fec70fb9cc1551676e96618bbc0eebe987a28b83d6f7907a976b905c0
Instruction ID: e2aa843fd7baae044f1b3cf7ead82fe3bf09f9247c50ffd61aacab1e653596b2
Opcode Fuzzy Hash: f2d68a9fec70fb9cc1551676e96618bbc0eebe987a28b83d6f7907a976b905c0
Instruction Fuzzy Hash: 5331F6F1D4936D5BE7218A64DC54BF6B77AFB44300F1444F9EA0DA6284D2BD1FC18A50

Function 008FC52F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: a55d42a32fb0449322a8a1dc0ff1a3912b3131c29a802282ac1bd1e5f17bd2f5
Instruction ID: ced753451ed1c6c6de6f392274cc7855d6b1cd1124cc913e1b8eca6d21b4c9ab
Opcode Fuzzy Hash: a55d42a32fb0449322a8a1dc0ff1a3912b3131c29a802282ac1bd1e5f17bd2f5
Instruction Fuzzy Hash: A331F4F2D4532D5BE7208A60DC54BF6B77AFB44310F1480F9EA0DA6680D6BD1FC18A91

Function 008FC5F6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 6675f78076dc058b8477b674f3f583a0506f49036ba4e3603563ee60faa9ef2a
Instruction ID: af4ba5d0648222fbfd4b874736b52c25b69d2a30b7f237d84ec5e1309303a568
Opcode Fuzzy Hash: 6675f78076dc058b8477b674f3f583a0506f49036ba4e3603563ee60faa9ef2a
Instruction Fuzzy Hash: DB31C3F2D0531D6BF7208A60DC51BF6B679EB44710F1480B5EA0DA6280D2BD5BC18A51

Function 008FCA55 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 7e2d97cce9af66975237be6cf2724ebf51eb3c49c9c9eb1c5b3bc30886269d9b
Instruction ID: d43acfbdef775c6cb51d66a0776e3f1c423be21634ee6153e8ca3f980a71b77f
Opcode Fuzzy Hash: 7e2d97cce9af66975237be6cf2724ebf51eb3c49c9c9eb1c5b3bc30886269d9b
Instruction Fuzzy Hash: 5731F5F1D0431D5BE7218A61DC95BF6B77AFB44300F1480F5EA0CA5280E2BD1BC18E91

Function 008FCA60 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 7f67a42364fa3deebc6ead6756adaca5c835abcf9f3bb1e97c29226214b3ecab
Instruction ID: 7f1a551617350e7baf44e492da0c0e4d01633e5aedb9151eb1da708eddf0a20a
Opcode Fuzzy Hash: 7f67a42364fa3deebc6ead6756adaca5c835abcf9f3bb1e97c29226214b3ecab
Instruction Fuzzy Hash: 2E31E7F1D4532D5BE7218A61DC95BF6B77AFB44310F1480F5EA0CA5180D2B91FC18E51

Function 00928A76 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 95f306905971f6d931cde9d6269b92bd6b8f24129d9230b6b6e3d66d04b0db07
Instruction ID: b1786956845bfbfd95173d147e965411f6cd6b6d88d389aabca00a283e1273d0
Opcode Fuzzy Hash: 95f306905971f6d931cde9d6269b92bd6b8f24129d9230b6b6e3d66d04b0db07
Instruction Fuzzy Hash: 5B218AE2C041389BF7204A24EC09BFB3768EB40310F1446BBE80D95985DB7D4FC9DA92

Function 00414414 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Strings

FZWS, xrefs: 00414418

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID: FZWS
API String ID: 3070290716-4186486854
Opcode ID: 603d92c9521ec5b4c15847d1b22ea47be2f3016f587f1c45e2df1241eefd7b30
Instruction ID: daa70a0f0b3ca0bf90d91e572d052b112d8ddff4875c7187838b6c3e153f0be1
Opcode Fuzzy Hash: 603d92c9521ec5b4c15847d1b22ea47be2f3016f587f1c45e2df1241eefd7b30
Instruction Fuzzy Hash: A641C471D045288FDB24CB69CD84BEABBB6EBD4305F1482EAD40C67294C7785BC9CE46

Function 008FD067 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 008FD695

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: e780a790220883ea22df20e9b8649ae09045a8e63348ee44d9e2f26a2ef325de
Instruction ID: 2d6e3152b6493ac14451be529b9174dccca85504a43fee981c9a863e82fac5ea
Opcode Fuzzy Hash: e780a790220883ea22df20e9b8649ae09045a8e63348ee44d9e2f26a2ef325de
Instruction Fuzzy Hash: 1C3149B1D0834C9FF7208A20DC85BF67736F780310F2841FAEA09A6685DA7D1FC58A51

Function 008FD086 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 008FD695

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 4a23adc0df1eeed32f9b51507e8ad81afeefbea58b7c7a6aa5a10580896975e9
Instruction ID: 4c65c1436f9fc67343a195ebec73084628de453c2450f39f7c1b7b7f5e8cf5ba
Opcode Fuzzy Hash: 4a23adc0df1eeed32f9b51507e8ad81afeefbea58b7c7a6aa5a10580896975e9
Instruction Fuzzy Hash: 713136B1E0834C9FE7248A20DC45FF67736FB80310F2841FAEA0999285DA7D5FC59A56

Function 00929292 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: e0bd1b4241dc25f47ea99dbaf07e388f3b30ee26c7c1d768c1dcf5709500c9fb
Instruction ID: 77d06341b495a0b7d91db1c43b1b9d3f5d7bda9305c5ed17ea6865da40f342d9
Opcode Fuzzy Hash: e0bd1b4241dc25f47ea99dbaf07e388f3b30ee26c7c1d768c1dcf5709500c9fb
Instruction Fuzzy Hash: 9A21E5F3D151249BF7348A18DC95BFA73A8EB50300F1441BAD90DA6680E5BC4FC08E51

Function 0092965B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 279e80c552c357aa643471d0816545c1a78a8fa0ea86862ef44f9b523458aab9
Instruction ID: 8b83ca7460e753b19c40e29a06e645b7551a24c94704d75ce7f3278d164c5f16
Opcode Fuzzy Hash: 279e80c552c357aa643471d0816545c1a78a8fa0ea86862ef44f9b523458aab9
Instruction Fuzzy Hash: F821D3F3C191259BF7348A18DC9ABFA77A8EB10300F1801FAD90E95280E6BD4FD18E51

Function 0041B14C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

KMO?, xrefs: 0041B161

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID: KMO?
API String ID: 544645111-3566493764
Opcode ID: 13bba247a31b2437c847d6cd7700bdefbaf720da2429000bb8402dd6dfb22b41
Instruction ID: e1d9a0bce33dd32428a726e34ee833ea0d9f13118be23c55441caf71ba35fc79
Opcode Fuzzy Hash: 13bba247a31b2437c847d6cd7700bdefbaf720da2429000bb8402dd6dfb22b41
Instruction Fuzzy Hash: D22134F2D44614AEFB108A20DD89BEF7765EB95315F2081BBE90C95484D37C4FC28E9A

Function 008FD0AD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 79processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 008FD695

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: f9101f898db2d8a36029bf2420f67f32d0febad9086b9ba0feb513e37c3c0f5b
Instruction ID: a4de42779d0878d823eef028e57d2932bf120d08958013930acf399b8011e2bd
Opcode Fuzzy Hash: f9101f898db2d8a36029bf2420f67f32d0febad9086b9ba0feb513e37c3c0f5b
Instruction Fuzzy Hash: 4A21D6B1E4435C5BF7248920DC46BF67376F790310F2441B9EB0AA5284EA7D1FC18A55

Function 00929211 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 25bb8623a564ed418f2bbdf21d10ddfaff738355cacdf1c98409e42e47198c94
Instruction ID: 63ceca48a2ad569122c862bc20fddcd934def94a7f0c4625c0ad55f1bd10e874
Opcode Fuzzy Hash: 25bb8623a564ed418f2bbdf21d10ddfaff738355cacdf1c98409e42e47198c94
Instruction Fuzzy Hash: 8321C1F3D151259BFB348A18DC99BFAB368EB54300F1442FAD90DA6680E6BC5FC09E51

Function 0092921C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 264b084a436f594f887778fdd8c0b62c4631b14476604caf6301183aa2824c94
Instruction ID: e1f2e376ecf5d7c5d358bd662e425a7c428dc8e86d7233fe0c9ffe389c05fa87
Opcode Fuzzy Hash: 264b084a436f594f887778fdd8c0b62c4631b14476604caf6301183aa2824c94
Instruction Fuzzy Hash: B721D3F3D151299BF7348A18DC99BFA7368EB50300F1402FAD90EA6680E6BC4FC18E51

Function 00928A7B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 13edbb2fdf41a77a9e19a6e66c14fe9969c3d51963dafb9452386177e3f04e3e
Instruction ID: e24bcd7c4fac50d8b4df947110183f3ac8e0e3dbecd57b26d6a29915e4aabb5d
Opcode Fuzzy Hash: 13edbb2fdf41a77a9e19a6e66c14fe9969c3d51963dafb9452386177e3f04e3e
Instruction Fuzzy Hash: B32107B3C04128ABFB204A14EC49BFB7BA8EB04310F1445BAE84995585DABC4FC5DE92

Function 00929676 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 5a7669389fc93df8a6035789a8f8e7b5b67481c48d6e3d534e0a1dc96153f1fd
Instruction ID: cf4fa25a7b3f1a3e2cdacbeba368810d27f2fbedc17993374997cf1a7d2c731b
Opcode Fuzzy Hash: 5a7669389fc93df8a6035789a8f8e7b5b67481c48d6e3d534e0a1dc96153f1fd
Instruction Fuzzy Hash: 1C21C5F3D151259BF7348A18DC99BFA77A8EB14300F1401FAD90DA6680E6BC5FD08E51

Function 008FD5EB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 008FD695

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 20e4a1d0d062b5641eee1e6481d3c2aa0e3170e59113f32de7a91e4c47d48ca5
Instruction ID: 0464d99f81646e63d88de1cc39ef2957a472fbe6ceba742cc2cbea7de798d2d2
Opcode Fuzzy Hash: 20e4a1d0d062b5641eee1e6481d3c2aa0e3170e59113f32de7a91e4c47d48ca5
Instruction Fuzzy Hash: 6D11B1F1D4831D6AF7248A20EC56FF67269F754710F1442BAEB0A69280E6B92F804A91

Function 00929DFE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0092A26A

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 98d240a77a5661396d6d414522bf6e4efd3ba03177167a572a44909354f3e273
Instruction ID: fddb57d6db7cd2118c4e4c53c2b33c8b20e23bf9c3c7ff219ddd76930c6c85aa
Opcode Fuzzy Hash: 98d240a77a5661396d6d414522bf6e4efd3ba03177167a572a44909354f3e273
Instruction Fuzzy Hash: 1D1193F3C105289BFB208A00EC4ABFB7368D714311F1446B7D90E96284D5BC5EC18E92

Function 00928B3F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0092A26A

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 6dbf794af0b7b51a0206f17a9ed2908a6875852448d3b1778fbba4b10011bc09
Instruction ID: c79f232bb8887c4dbc2138d206d534bb8c87794f51bd57217e09681d08292ce3
Opcode Fuzzy Hash: 6dbf794af0b7b51a0206f17a9ed2908a6875852448d3b1778fbba4b10011bc09
Instruction Fuzzy Hash: FA1121F3C15428AEF7208900EC0ABFB72A8E754311F1849BBD94AD1580DABD4EC59E53

Function 008FD0EE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 008FD695

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 01c018c52c575891a276cd42e2595f61fe2e992ad3e96b7205e15bc9cb9c0f8d
Instruction ID: 1f4de1b970808d20159acbfd9953f06ab19c8ae8e35e4f15f1b9b27b319c6aaa
Opcode Fuzzy Hash: 01c018c52c575891a276cd42e2595f61fe2e992ad3e96b7205e15bc9cb9c0f8d
Instruction Fuzzy Hash: DB1127B1E4835C6BF7208A20DC41FF6737AF790711F1441F9EA05A5680E6791FC08E55

Function 008FC26F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 008FD695

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 2ecf64a619fa96da74018a44daff10df9be3fa4bcb566f69a7bd62b9c9f93579
Instruction ID: 72b93e153e13225f9a23d561a623c8509fcd776a384e41278d8dba75c53f5d6e
Opcode Fuzzy Hash: 2ecf64a619fa96da74018a44daff10df9be3fa4bcb566f69a7bd62b9c9f93579
Instruction Fuzzy Hash: 681106E1E4830C6BF7208921EC46FBB7229F780714F1442BEFB0A945C0E6BD5B815996

Function 008FD22E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 008FD695

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 6724b844fba6609ed399b22b107afa8332516e9823f71d012f07834db78573c3
Instruction ID: 5d0519e679868b308c9506ac35bebfd4bf06243a90b153247cd067cd829a0e6d
Opcode Fuzzy Hash: 6724b844fba6609ed399b22b107afa8332516e9823f71d012f07834db78573c3
Instruction Fuzzy Hash: 8B1127B1E0835C6AF7308A21DC46FB6B336F790710F1441BDE70A666C0EBBD2B804A84

Function 00928B32 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0092A26A

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 51378c83972f23baa74f426988e41eeeb0f22dddb31f66947647f9d532d5da3c
Instruction ID: b2602d4758f474e69a3c132cc0aa61a73659b720234cc27e02c6631431e226b9
Opcode Fuzzy Hash: 51378c83972f23baa74f426988e41eeeb0f22dddb31f66947647f9d532d5da3c
Instruction Fuzzy Hash: 981144F3C15014AFF7208900EC0ABFB7268E714310F1849BAD90AD0984DBBC4FC5AA12

Function 00929E10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0092A26A

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 2b2dc7387bcdf4d43713a0a45ef1ab58c751d8c5d6521613cd854813b91b95f3
Instruction ID: 2caab3e23e82e0da75a81f5c65cf9e9d71d4cdf66e3ce7c88b6ad1f00541d44e
Opcode Fuzzy Hash: 2b2dc7387bcdf4d43713a0a45ef1ab58c751d8c5d6521613cd854813b91b95f3
Instruction Fuzzy Hash: 121182B3C005249FFB248A04DC4ABFB7768D714311F1441FAD90DA6684E5BD5EC19E91

Function 008FD1B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 008FD695

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 671597b5841e1523677900ca648f68f3dce3c1f2a16d4d310ee05830db68df72
Instruction ID: 7fa68ca0481f30df6547ba4b349834fc8455d3098e8e61493c5c3ae6654c8a38
Opcode Fuzzy Hash: 671597b5841e1523677900ca648f68f3dce3c1f2a16d4d310ee05830db68df72
Instruction Fuzzy Hash: 671106B1E0835D6AF7208920DC41FF6B376F794751F2441F9EB09AA280E6792FC08A94

Function 008FCAFC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 008FD695

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: b6704b965f445e29587475ebe42281e65aaac405383068dc0c2dd2ce58e1a02a
Instruction ID: 4bb6bcf7944fdb4c58596f6b9e61751796b08821d56f21120e127e329e9b7b32
Opcode Fuzzy Hash: b6704b965f445e29587475ebe42281e65aaac405383068dc0c2dd2ce58e1a02a
Instruction Fuzzy Hash: 8401D6F1E4931C66F7208911DC01FF67276F790710F2481B9E709A95C4E2BD5B814995

Function 00928AC1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0092A26A

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 8ebb7f44dc88f47b29242ba9c07b06a7087df78b28fd08135412bed4800c61aa
Instruction ID: 03b0d32143bd4f28f6450c4236e11cef2248aca618e70b400e7fd111d5709fb0
Opcode Fuzzy Hash: 8ebb7f44dc88f47b29242ba9c07b06a7087df78b28fd08135412bed4800c61aa
Instruction Fuzzy Hash: BC01D2F3C15014ABF7248900ED0ABFB7268E714314F1845BAE90AA5584DBBD4FC49A52

Function 008FD1CF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 008FD695

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: b3fd1f676b41be3c7fefdaab99349340e42fe0549185fb0b33c63de6c3970fd0
Instruction ID: 9e76405de74f2015289e99c6455f8fbbfdd2e09ad6b0192e182bd191f2e7b743
Opcode Fuzzy Hash: b3fd1f676b41be3c7fefdaab99349340e42fe0549185fb0b33c63de6c3970fd0
Instruction Fuzzy Hash: 321104B1E0835C6BF7308A20DC41FFAB376F784710F2442E9E709A5284E6792F808E94

Function 00928DCE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0092A26A

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 895539d09c69e3d99d4039e310c8cda62506051b27437a81f0f61ad221e42880
Instruction ID: b69213993b306d412bcaeca0c0d917eb47b7983f7ccab70ff1c1ff39a6b4d3ab
Opcode Fuzzy Hash: 895539d09c69e3d99d4039e310c8cda62506051b27437a81f0f61ad221e42880
Instruction Fuzzy Hash: FC11A1F3C150159FF7208900EC4ABFB7268E754314F1444BAD90AA1684DABD4EC59A52

Function 0092A1EB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0092A26A

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 19d02807c26f27d9082fc2cf19c97259831d7769e88bf91d0daee58d33c2b969
Instruction ID: d6a6a1bdf2e74732671f6d9170a93abeb88e89f175e254cfb00d36f9147e676e
Opcode Fuzzy Hash: 19d02807c26f27d9082fc2cf19c97259831d7769e88bf91d0daee58d33c2b969
Instruction Fuzzy Hash: 020184F3C14158AFFB248A50DC56BF772A8D714310F1405B6E909E5280E6BD8FC49E52

Function 008FC298 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 008FD695

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: adfda6d4ce1c955e57f23ead5956d21ae90f5e4a291a1af6df37077d0104c47f
Instruction ID: 14428cad4ab1f8e633aa5948f162ab809ef1ddad6e5407e1c35e2a9d60ba39f3
Opcode Fuzzy Hash: adfda6d4ce1c955e57f23ead5956d21ae90f5e4a291a1af6df37077d0104c47f
Instruction Fuzzy Hash: 0101F5B1E4831C6AF7208A20EC41FF6B276F750714F2441EAE70AA91C0E6795F805A95

Function 00928E73 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0092A26A

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: bcbd25e33be6df7c240c6772f86f96a0e9d9afef977ae2b3194d36c4305a70b2
Instruction ID: 9fc60c11f3f740e7613e97e0134c792dab45b322f04096a7e0685ee7b7d42841
Opcode Fuzzy Hash: bcbd25e33be6df7c240c6772f86f96a0e9d9afef977ae2b3194d36c4305a70b2
Instruction Fuzzy Hash: 1301D2F3C04018AFF7208900EC0ABFB7268E754314F1444BAD94AA1680DABD4EC49A12

Function 00929E35 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0092A26A

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: ad56a847cf1d184b0cc1197c6656717f9f5fa0db7cc025dfa61769f14cab1f55
Instruction ID: 118c09bf3f914eedf5b399d45a345a6a8f059622d5708c2b71d5fcf888efa238
Opcode Fuzzy Hash: ad56a847cf1d184b0cc1197c6656717f9f5fa0db7cc025dfa61769f14cab1f55
Instruction Fuzzy Hash: 0C016DB2C045149FFB248A04DC5ABFA77A8EB04321F1401FAD90E96680E9BD9AC1DE91

Function 0092F18E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00930631

Strings

LM5I, xrefs: 0092F18E

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID: LM5I
API String ID: 823142352-636820872
Opcode ID: 8041f6fd757f819b02b9295a78ed3599f2050d8a86f546a68e0d34c4d1aeefde
Instruction ID: 43886836a9643b2948779ec6bb6459d448bbd503b4664b83a053bbd2bcf9255b
Opcode Fuzzy Hash: 8041f6fd757f819b02b9295a78ed3599f2050d8a86f546a68e0d34c4d1aeefde
Instruction Fuzzy Hash: B311F9709083585EE7294620DC65BEB7B38E742314F2106FAE69A690C2C6B81BC48B11

Function 008FD141 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 008FD695

Strings

jjjj, xrefs: 008FD686

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 17eebd6ff0cc23bccf174c00acd3298e12e15a67c5097a27dd00a7016d4282da
Instruction ID: 99215666ae18e04bfadd44318cb20da4b824d0a0f68d089f5c1e042325dd8ab9
Opcode Fuzzy Hash: 17eebd6ff0cc23bccf174c00acd3298e12e15a67c5097a27dd00a7016d4282da
Instruction Fuzzy Hash: C501D2B0E4835C6BF7208A10DC41FFAB376F794700F2441E9A709A5680E6792F808E84

Function 00929DA5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0092A26A

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 3a3b4d872d00907e024bfea48f28e23352baaa1bf3722df526724f65230a50d5
Instruction ID: b4d8109d2d3cd7dc7a0b3e4b8ff401fa1034b6d929dabdae5f1abba02d3dc81a
Opcode Fuzzy Hash: 3a3b4d872d00907e024bfea48f28e23352baaa1bf3722df526724f65230a50d5
Instruction Fuzzy Hash: 2701F1B3C114149BFB288A10DC1ABFA7368E714311F1441FEDA0A96A84D9BC4FC08E51

Function 00928E99 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0092A26A

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: e409757587de11cc06cc3eb2245f3ae08f8f7438957788bce93b7c946f51ffdb
Instruction ID: d7d15f9e6c67cd714e96121e1f13e4f001c0991ec9638f8ed666763b845c513f
Opcode Fuzzy Hash: e409757587de11cc06cc3eb2245f3ae08f8f7438957788bce93b7c946f51ffdb
Instruction Fuzzy Hash: 6101F4F3818558AFF7208A10EC5ABF773A8EB18310F1804FA9949D5581DABD4FC4DE52

Function 00929E50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0092A26A

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 06870867217520493dd483d047cf1d903f39d1949e3e299f1fb5acbc8bb80cca
Instruction ID: d729f7d10c6c6d28bff816f22e088ae115e61f7344a7f84c5ff136496f6f155b
Opcode Fuzzy Hash: 06870867217520493dd483d047cf1d903f39d1949e3e299f1fb5acbc8bb80cca
Instruction Fuzzy Hash: 7F014FB3D005199FFB208A44DC4ABFA73A8E714311F1405F6D909E6280D6B95AC19E51

Function 0041BDD6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Strings

7B3Y, xrefs: 0041BDD6

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID: 7B3Y
API String ID: 544645111-3648703178
Opcode ID: 402b31f7f363f5216cc02f1bb72fd21bbf69a199207760692237c803016cef72
Instruction ID: 39c24c1019937b6ea7643b79ac288d22b60a49ec9098781e8e542d4fc01bf98a
Opcode Fuzzy Hash: 402b31f7f363f5216cc02f1bb72fd21bbf69a199207760692237c803016cef72
Instruction Fuzzy Hash: A5F0C2F2C94121AAF7105524EC89FFB766CEB04760F140076E90DE6140E27D8FC14AA6

Function 00929D03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0092A26A

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 7687824290d268f32db0b1a6aed371750a53d220b1dbf58684d34b246b07754a
Instruction ID: 1436172b259df1a5e49851e6e17ccb65fd1ee155e88ef2a09d2496e987304138
Opcode Fuzzy Hash: 7687824290d268f32db0b1a6aed371750a53d220b1dbf58684d34b246b07754a
Instruction Fuzzy Hash: B1016DB3C055299FFB248A00ED46BFA73A4E714311F2445E6D909E6684E6BD8FC0AE52

Function 0092A21A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0092A26A

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 650e375969ee91eb7d61586d58c686ad4378dda41dd1c39cbc5344c100570039
Instruction ID: 8bee0a3fd28319b4ab04180bfb75ae7f9ee99d91b816c60e77d1e168f4eff2d0
Opcode Fuzzy Hash: 650e375969ee91eb7d61586d58c686ad4378dda41dd1c39cbc5344c100570039
Instruction Fuzzy Hash: D7016DB38045189BEB248A50DC56BFA73A8E714311F1405EAD909E6680DABC8FC09E51

Function 00929D41 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0092A26A

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: e9d8f012683396562eba65902f3409bb8acdf4f3cab097b9e8b8d01ae3c5dad7
Instruction ID: dd4fc3c1183433b9d7462205e416501f6eb396482d5e58d1684fc32ab8c9124b
Opcode Fuzzy Hash: e9d8f012683396562eba65902f3409bb8acdf4f3cab097b9e8b8d01ae3c5dad7
Instruction Fuzzy Hash: 51F04FB3C055199FEB348A00DD4ABFA73B8E714311F1445EAD909E6684EAB84FC0DE51

Function 00929729 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0092A26A

Strings

Ph?, xrefs: 0092A256

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 2b028382a26eb4ab443adde483ad036362c1bc18c5a20c2d182064a1b4ee5b53
Instruction ID: 3669d7bd6b9277ded61cf6c7d1fc4e6b0531f1ed4740f21666d90d036021935a
Opcode Fuzzy Hash: 2b028382a26eb4ab443adde483ad036362c1bc18c5a20c2d182064a1b4ee5b53
Instruction Fuzzy Hash: DEF030F3C144159BF7348A04DD4ABF673A8E714311F1405BA9909E5680EABD4FD49E92

Function 008F51B9 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

R, xrefs: 0090CC30

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID: R
API String ID: 0-1968290334
Opcode ID: 41ea33fafc5a193e20359fbf685e9c7d015d36e54ecfdcec850efbe4f8625a11
Instruction ID: 240bccd4098e2fd52292a5174019d9256d8c79f4ebc000cd8a9332913878ab87
Opcode Fuzzy Hash: 41ea33fafc5a193e20359fbf685e9c7d015d36e54ecfdcec850efbe4f8625a11
Instruction Fuzzy Hash: DB7129E2D146249EF7244B24DC59BFB7B78EB90710F1441FED90E166C0E67D1EC18A62

Function 0041534B Relevance: 1.7, APIs: 1, Instructions: 228COMMONLIBRARYCODE

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 94afcbb885cf53290e66505c55b729cd1521856f59a8a97a08a6583f317ab976
Instruction ID: 5da083a13cbec819ad66447ac4a4433cd97ef7fe8c929fb70d11da4aac454fbb
Opcode Fuzzy Hash: 94afcbb885cf53290e66505c55b729cd1521856f59a8a97a08a6583f317ab976
Instruction Fuzzy Hash: 6791D2B2D056288FE724CA18CD94EEABB7AEB94310F0481FAD80D67644D6396FC5CE51

Function 00926A77 Relevance: 1.7, APIs: 1, Instructions: 225COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: e2b63121a7237b4f9da24cc850a1d108a15f5c9fb56ae945bc7815ed446ab38c
Instruction ID: 65cf96268e572bb7409c5ebc5cc562177afc48fbe857642326ece7a7f9e268d7
Opcode Fuzzy Hash: e2b63121a7237b4f9da24cc850a1d108a15f5c9fb56ae945bc7815ed446ab38c
Instruction Fuzzy Hash: 53A1CBB5E046788BEB24CB19EC84ADABBB5EF98310F1841EAD84DA3640D6355FC5CF41

Function 00909DA6 Relevance: 1.7, APIs: 1, Instructions: 210COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,00001000,00000040,?), ref: 0090B3C8

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7f632b43c2978e626a775be146d36414eb64096a4668847a9124ab2e56533294
Instruction ID: ce9afde25d2009dbb8158f2825b5d0bae9d08c99d69ad23c6fb8decf86bd58fa
Opcode Fuzzy Hash: 7f632b43c2978e626a775be146d36414eb64096a4668847a9124ab2e56533294
Instruction Fuzzy Hash: A37128B2D052248EF7248B14DC80BFA7778EF91310F1481FAE649566C2E67D5EC1CB62

Function 0092C472 Relevance: 1.7, APIs: 1, Instructions: 203registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,?,00000000,00000001,?,?,?,?,?,?,?,?,?,009086BE,?,009086BE), ref: 0092C4DE

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e4fd2907da36f65f7a5c845060741da4704abea0f6c435ec56fc27d1b4932cad
Instruction ID: f33bffc9a7442867f1c8720e9daa3bc2bca2b1e8320c081f33f10da4ecd43386
Opcode Fuzzy Hash: e4fd2907da36f65f7a5c845060741da4704abea0f6c435ec56fc27d1b4932cad
Instruction Fuzzy Hash: C79190B1D092689FEB25CB18DC956EABBB5EF84310F0441EAE84DA2640D7785FC5CF42

Function 00414396 Relevance: 1.7, APIs: 1, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 69fabe70b1fd51af6b3deb31db2cea1ae100585615818b6fcfea11a3d86a283a
Instruction ID: 74472a5ec9c3fe4c55886525d6277c6099a2e3a899cf84f746c226c7d4f7be60
Opcode Fuzzy Hash: 69fabe70b1fd51af6b3deb31db2cea1ae100585615818b6fcfea11a3d86a283a
Instruction Fuzzy Hash: 8A81D071D045288FD724CB29CD80BEABBB5EFD4305F2481EAD40DAB294D6785BC6CE16

Function 00926F2F Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 5914107311a3ac3ce1dab1553ddb14044e64c5ff14d232a04c9389f23df93f57
Instruction ID: 8479f4a34f8ff09878ed1a2bfe66a513c11e08f38d67b9d48148e74ce1b97fd0
Opcode Fuzzy Hash: 5914107311a3ac3ce1dab1553ddb14044e64c5ff14d232a04c9389f23df93f57
Instruction Fuzzy Hash: 2661F6B2D041349BE7248A54EC84BEBBB79EB85310F1541FAE90D23645D23D6FC5CE62

Function 00927BC1 Relevance: 1.7, APIs: 1, Instructions: 183COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 67560035323ca2dd15b8ef660c9d5badd7915aa4b9a78fd4e7ad4a1348b5cca7
Instruction ID: 4e9d929d57d2c360539a350864e47d43b5e18d14270b015e53c0d65a11b3e327
Opcode Fuzzy Hash: 67560035323ca2dd15b8ef660c9d5badd7915aa4b9a78fd4e7ad4a1348b5cca7
Instruction Fuzzy Hash: 5761D0B1D094359BF724CA54EC90BFBBBB9EF81311F1481FAC84DA2684D6385EC18E61

Function 0092696A Relevance: 1.7, APIs: 1, Instructions: 180COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 125a294ef5c36d7183e05301948edf83d0152bb5db3eb0dc3ddc0b2c46114312
Instruction ID: c16bb593d2f16e52be5c7704c5e3808d9f15d499d00b26ffcf88f28ee0d7595d
Opcode Fuzzy Hash: 125a294ef5c36d7183e05301948edf83d0152bb5db3eb0dc3ddc0b2c46114312
Instruction Fuzzy Hash: E35138B2D082645FE7208B21EC45BEB7B79EF82310F0481FAD44D56585D6785EC6CFA2

Function 0090AC5B Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d8b3d8a8b7e05abb63f9e6c29597ee53dee3dba17a1561580634f674960650
Instruction ID: d18ce702a53eda61a6069c4b75b3b08d1d6f3711648e4112aebacbd0571ddf76
Opcode Fuzzy Hash: 31d8b3d8a8b7e05abb63f9e6c29597ee53dee3dba17a1561580634f674960650
Instruction Fuzzy Hash: CD51E2F2D15214AFF7288A10EC55BFA7769E780310F2081BAE60E966C4D77D5EC18A92

Function 00926DBE Relevance: 1.7, APIs: 1, Instructions: 169COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 1481d6d2a0244f89ee74657369efe138f11a263d14944dd0cb98da27421ac2be
Instruction ID: a50c76762f6aac822ed07be30832b1c39b98683fef90fed26cbbe9433704c9a0
Opcode Fuzzy Hash: 1481d6d2a0244f89ee74657369efe138f11a263d14944dd0cb98da27421ac2be
Instruction Fuzzy Hash: A1513AF2D046389BE7248A54EC95AEBB778FB81310F1541FAE84D22641E2385FC5CE92

Function 0093A7BD Relevance: 1.7, APIs: 1, Instructions: 169fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,39335C83,?,00000000), ref: 0093AACA

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: bb9757195bf4f8f7944c309c7ff9768c265f45819a14f02cc556601f1370058f
Instruction ID: 03239687189ddf71b45a9298800580ae094b7eaf595bd9d858222934b3dd572a
Opcode Fuzzy Hash: bb9757195bf4f8f7944c309c7ff9768c265f45819a14f02cc556601f1370058f
Instruction Fuzzy Hash: 8A51E472D055249FEB24CB14CCA0BFBBB76EF81312F1481E9D549A7281D6385EC1CE52

Function 0041B167 Relevance: 1.7, APIs: 1, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b188b488870be0d63c804a91aa24403ff496910c39b4714d1202630702dd8b41
Instruction ID: 5eb8a8448e9747efaf3da59d438536a3872c4ba8ef0fe848cc8911fc0669e231
Opcode Fuzzy Hash: b188b488870be0d63c804a91aa24403ff496910c39b4714d1202630702dd8b41
Instruction Fuzzy Hash: 085146F2D14514AEF7108A20ED49BFB7729EBC0310F1581BBE90D56680E27D5FC68E96

Function 0090B172 Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,00001000,00000040,?), ref: 0090B3C8

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1dbea85e08f120facb33bb16fcfe2f847bf018053f274599ee80c0f4ae8a0320
Instruction ID: 6bccf77da6de0199ae34ed8ec511bb7b8b83efa4ffc3e999f941257a3e8dfbf2
Opcode Fuzzy Hash: 1dbea85e08f120facb33bb16fcfe2f847bf018053f274599ee80c0f4ae8a0320
Instruction Fuzzy Hash: 995111B19085548FEB248A14DCA1BFF77B9EF80305F2841FADA5E91281E73C6AC08E51

Function 0041426D Relevance: 1.7, APIs: 1, Instructions: 165COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 5b9cef5876871ef860a7b9ddcd7ffc2314b146a0be43456346f0c17103360a35
Instruction ID: 4652117e78e9cc9174df9fd7aca45beb414f1d66f0228a25086f5055323ef6d2
Opcode Fuzzy Hash: 5b9cef5876871ef860a7b9ddcd7ffc2314b146a0be43456346f0c17103360a35
Instruction Fuzzy Hash: 9261C472D046288FD724CB29CD80BEABBB5EF84314F1481FAD40DA7294D6785BC5CE56

Function 004142A3 Relevance: 1.7, APIs: 1, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: dace4513ce2d01881ee98a636057fc093739a387667d6c98dcb3984c1d210af4
Instruction ID: 354559b6e0ec4942fac12a682cf88070519995023233c89dc636c1a5bf674757
Opcode Fuzzy Hash: dace4513ce2d01881ee98a636057fc093739a387667d6c98dcb3984c1d210af4
Instruction Fuzzy Hash: 0451C272D046288FD724CB29CD84BEABBB5EF94304F1081EAD40DA7694D6785BC6CE15

Function 00414104 Relevance: 1.6, APIs: 1, Instructions: 149COMMONLIBRARYCODE

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: c44a5d4f10f26ec8e72f5833469cc3b2d84adfb5e56cd85292d99afe3777968e
Instruction ID: 712dc68a1969bcd2a0c3b9d9b4921174b69998797709ff70c56a16a647395e35
Opcode Fuzzy Hash: c44a5d4f10f26ec8e72f5833469cc3b2d84adfb5e56cd85292d99afe3777968e
Instruction Fuzzy Hash: 5951E3B2D041249FE724CE18CD84BEABBB9EBD9304F1481FAD40D66644C27D5FCA8E56

Function 00419372 Relevance: 1.6, APIs: 1, Instructions: 148memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3083e419c3d9e6480fd32b0993d170d550e93f6310235d0c32bb902dc2c603b4
Instruction ID: 99e7b545ccbaa957486604864e207e50a3fcec8a1cfa27bc5654eb7ca8e894d2
Opcode Fuzzy Hash: 3083e419c3d9e6480fd32b0993d170d550e93f6310235d0c32bb902dc2c603b4
Instruction Fuzzy Hash: 784157F3E845946AF3105625ECC8EEB7B39EBC1720F15817BEA4D06540E13D4EC78666

Function 0092FEAA Relevance: 1.6, APIs: 1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da95c60a2f2290913b44df64bc613ca7d4ad97c45158b969886f54cd6e6cea2a
Instruction ID: c673a14e60d30f536197763ee171bd0927492ceef5f25b48afc11c7c49e7b3f4
Opcode Fuzzy Hash: da95c60a2f2290913b44df64bc613ca7d4ad97c45158b969886f54cd6e6cea2a
Instruction Fuzzy Hash: 834126B2D05254AFF7248A20ED65BEB3B78EBC1314F2041FAE949662C1D6785FC1CE61

Function 0041C1B1 Relevance: 1.6, APIs: 1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c964157a4bbe23cff09bc642527391c298c4e1ed3a9d9687d112ead79ebee1
Instruction ID: 0b6f59b6b6d3cfd861e1fbfe3200ae47590d169f594d32d849546e56cd24c172
Opcode Fuzzy Hash: b0c964157a4bbe23cff09bc642527391c298c4e1ed3a9d9687d112ead79ebee1
Instruction Fuzzy Hash: 8A41C5F2D81118AFF7208A15ED85FFB7739EB80720F1081BAE90D56680E57D5FC28A56

Function 00414D58 Relevance: 1.6, APIs: 1, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: a1ffedfa88a64bb8f7f009315ef642e864b881b42f32b6fc3e272b0c1a8e0b62
Instruction ID: 8510f6737f21d201435da05b607a92284732eba51f39eaa5104f9459c9101aee
Opcode Fuzzy Hash: a1ffedfa88a64bb8f7f009315ef642e864b881b42f32b6fc3e272b0c1a8e0b62
Instruction Fuzzy Hash: F55149B2D046188FE718CF18DD85EEBBB78EB84305F1482FAE40D56244C2795FC68E56

Function 0092FC4C Relevance: 1.6, APIs: 1, Instructions: 142fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00930631

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 12a11dc55488555c729821c51ab2ee1804d64fba4171177662ae8cdc4eabd4f4
Instruction ID: c203bbc0efdd1984f9f26eabe58be75318e14fa419cbd72ec030a76d32aedb17
Opcode Fuzzy Hash: 12a11dc55488555c729821c51ab2ee1804d64fba4171177662ae8cdc4eabd4f4
Instruction Fuzzy Hash: F04155F2D04164AFF3248620DC54BEB7B79EBC1320F1540BAE84966281D5795FC6CEA2

Function 004142D4 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 1dff4a8858965d962a7214038015fe3e452d0c84c234b5380a04a3415c05ee73
Instruction ID: 77ef6881700b987b81de9bf48cdf69f853f7c68a40219863844ae437f75d0b6a
Opcode Fuzzy Hash: 1dff4a8858965d962a7214038015fe3e452d0c84c234b5380a04a3415c05ee73
Instruction Fuzzy Hash: 3A51CF72D046288FDB24CB29CD84BEABBB5EF88304F1081EAD40DA7694D6785BC5CF55

Function 0092F232 Relevance: 1.6, APIs: 1, Instructions: 139fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00930631

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 23fa30e7450061f4ec11ec0109344f1777b0f1f36e043ac854ea365d7431bf63
Instruction ID: 416f9b16fd4591606ed9e0aeadc4c0bbe4eb0b0328ad1fe224c9d88d7f1bff51
Opcode Fuzzy Hash: 23fa30e7450061f4ec11ec0109344f1777b0f1f36e043ac854ea365d7431bf63
Instruction Fuzzy Hash: 26615B74D092A88BEB258B28DD557DABBF1AF89304F1482E9E84D62244DB715FC1CF01

Function 009268EF Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 0058eba37d5968374fdc1d88ca00b5d09873c1be7980bcdca6bee0019c9dba3c
Instruction ID: 692eba1e5a00c4cf165dea23e2ddde1c8e5c4c072f57eef996b93a0b7df04c0d
Opcode Fuzzy Hash: 0058eba37d5968374fdc1d88ca00b5d09873c1be7980bcdca6bee0019c9dba3c
Instruction Fuzzy Hash: B7415AB1D092B95ADB204B61DC447FABF79DF82310F1581F6D48DA6085D2784DC6CBA2

Function 0093A74E Relevance: 1.6, APIs: 1, Instructions: 137fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,39335C83,?,00000000), ref: 0093AACA

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 68ba2e1cc03c23ea0d85380a56166930d97824b6f58ffc12c77f336bd13fc2c8
Instruction ID: 0c25db6801f69fca43299601e574dd040bf04c801420d8fd84cfcae9c60fc012
Opcode Fuzzy Hash: 68ba2e1cc03c23ea0d85380a56166930d97824b6f58ffc12c77f336bd13fc2c8
Instruction Fuzzy Hash: ED519FB1D049688FEB24CF18CCA0BEABBB5EF45306F1441E9D949A7282D6359EC5CF41

Function 004142F1 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: d703739dcc62d8a373c12cb740604d7b2ffe371f64ba0e38c6ccb2ff5b11d3e6
Instruction ID: a95f8b4f8273bcb9d2d181dd2978678393635b89f95089999ba4ef6c692bb06a
Opcode Fuzzy Hash: d703739dcc62d8a373c12cb740604d7b2ffe371f64ba0e38c6ccb2ff5b11d3e6
Instruction Fuzzy Hash: BA51A172D046288FDB24CB69CD84BEABBB5EF88304F1081EAD40DA7294D6785BC5CF55

Function 0041C284 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205441354c442d359b9ca109ecd276ea969f71895a9351bf16406c6415bfe714
Instruction ID: 46e0b00ebc6eb9bcb03271a8495a55bc968b0dcc0d981941ef5fd1a4ad505cfe
Opcode Fuzzy Hash: 205441354c442d359b9ca109ecd276ea969f71895a9351bf16406c6415bfe714
Instruction Fuzzy Hash: 3341D4F2D842186FF7208A15ECC9FEB7779EB80720F1081BAE90D66640D67D5EC28A51

Function 0041B321 Relevance: 1.6, APIs: 1, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: fe2f2b333b14317d796991e5424d744c1d03e43c91866c4a65c8d091c5e6875c
Instruction ID: aa53cda9ceb571ee80f8be6ebc02d2f47c7e66558542d501c8ce2179d5b77dff
Opcode Fuzzy Hash: fe2f2b333b14317d796991e5424d744c1d03e43c91866c4a65c8d091c5e6875c
Instruction Fuzzy Hash: 1A41AFB2D54224DEEB248A14DD85BFB7378EB55310F1441BBD94DA6240E27C4EC28FAB

Function 00927A0A Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: edb8a330beaf055332ab78f71f60c65789ac4f712a73d27a4aed3777bd1578be
Instruction ID: 4e4a309c5ce51db968017e8e089abb99c591368a4bb74df793c89e05b6e2883e
Opcode Fuzzy Hash: edb8a330beaf055332ab78f71f60c65789ac4f712a73d27a4aed3777bd1578be
Instruction Fuzzy Hash: F841D1B1D086688BEB24CB14DC95AEAB779FF84304F1442FAD84D63245D6346FC2CE92

Function 009271C5 Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: a3cc2aaf763d4fa07826c75cc463a09cc0218d72d990bbe6f8fbb05acaf1f9be
Instruction ID: a62097da08b6e7361b585f375041e556f7b3316dfd317eeced42ea4838bdbc1e
Opcode Fuzzy Hash: a3cc2aaf763d4fa07826c75cc463a09cc0218d72d990bbe6f8fbb05acaf1f9be
Instruction Fuzzy Hash: 0C41E3B2D085389BF7248690EC95BEBB7B8EB80311F1441FAE41E36644D6395FC58E62

Function 0092FC0E Relevance: 1.6, APIs: 1, Instructions: 116fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00930631

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 791a6fd18d2050e85401f70a614c137e4bf74c762a86be795800a21359ee62b9
Instruction ID: 42b4e07890e1876f501973be77bdeba07e5ca1249d2f9470cd104bf9a81acdab
Opcode Fuzzy Hash: 791a6fd18d2050e85401f70a614c137e4bf74c762a86be795800a21359ee62b9
Instruction Fuzzy Hash: 353134B2D05194AFF7289A24DD69BEB3B38EBC1310F1101BAE449662C1C5795FC5CE62

Function 0092FFC1 Relevance: 1.6, APIs: 1, Instructions: 114fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00930631

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b3aa9734bbf19bee1a8e4dc9e145389dabc12d23c09db066f6a0764569cebdb9
Instruction ID: a8702fcc58de0307d54453475fbd601509ef00ad087da92675b9fcc1f4cfbd5a
Opcode Fuzzy Hash: b3aa9734bbf19bee1a8e4dc9e145389dabc12d23c09db066f6a0764569cebdb9
Instruction Fuzzy Hash: BF3146B2D052A4AFE7249624CC65BEB3B78EBC1310F1501FAE8496A2C1C6795FC5CF61

Function 0041B357 Relevance: 1.6, APIs: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 99f78b2838dc24c1a6437147204bd087541be8bb370cfba4d857946196ebc2e9
Instruction ID: 7ed53395caa21f7b3c410da4e7945bcd8528c72d6928e0d30ed7d2bcbbb404b2
Opcode Fuzzy Hash: 99f78b2838dc24c1a6437147204bd087541be8bb370cfba4d857946196ebc2e9
Instruction Fuzzy Hash: DD31D4F2D54224DEF7108A14DC85BFB7268EB55315F1441B7DD4DA6280E23C8FC28AAB

Function 0041C57A Relevance: 1.6, APIs: 1, Instructions: 113memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c03982353d849f4d13dfe7243795b8810ad57a14e9c19c150b1504909e3416e3
Instruction ID: 63e734a770d13442acf5b90e8729e305554c4c5889bf1bbc50e466e158164a72
Opcode Fuzzy Hash: c03982353d849f4d13dfe7243795b8810ad57a14e9c19c150b1504909e3416e3
Instruction Fuzzy Hash: DD41C0B2D401259BE724CB14CD84BFA77B6EB84310F1481FAD90D97341D638AFC18E95

Function 0092FFCA Relevance: 1.6, APIs: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00930631

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 42178603d7ab2d1ac17919a4fd8b547041b49aa1440923dae2dcb41814d226a0
Instruction ID: 379b80cce18b20d83ed9f7f134e1b006fba0ca55d0a53782064a53204228eeb7
Opcode Fuzzy Hash: 42178603d7ab2d1ac17919a4fd8b547041b49aa1440923dae2dcb41814d226a0
Instruction Fuzzy Hash: EB3125B2D052A4AFE7249624CC55BEB3B78EBC1310F1501FAE8496A2C2C6795FC5CF61

Function 0093A8CA Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9177b0a9e938e3f35d58e8a43f7ee428a347faeff2f679e08fdff3d920d909
Instruction ID: ed459ac2efb8340fbef6705a84acdf7a3737987148267f2910b66830043680dc
Opcode Fuzzy Hash: 5c9177b0a9e938e3f35d58e8a43f7ee428a347faeff2f679e08fdff3d920d909
Instruction Fuzzy Hash: B641E471D094688FEB24CB14CDA0BBBBB76BF81302F1481EAD54DA7285D6385E81CF42

Function 0092716A Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 745722b8fa5c98059095b65e62d4944ee473dd45068db6f2ba47b941b8082dbd
Instruction ID: 2880966ec29546d3b15ebae206b231c09dfe695d7e0a72b5e0d401d5ae93144e
Opcode Fuzzy Hash: 745722b8fa5c98059095b65e62d4944ee473dd45068db6f2ba47b941b8082dbd
Instruction Fuzzy Hash: 8F31F7B2D085389BEB248690EC85BEBB7B8EB90311F1541FAE50E32644D63C5FC58E52

Function 0041B365 Relevance: 1.6, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 270623a6fffc7a5390213c2cf577ce37a0ac3c57082a4d28100a4a0a64223e4d
Instruction ID: 27b9315497d67c21ac6cbdb30c69bda87acd6ef53a1b774bc9ca31b08d0e4be9
Opcode Fuzzy Hash: 270623a6fffc7a5390213c2cf577ce37a0ac3c57082a4d28100a4a0a64223e4d
Instruction Fuzzy Hash: A331E6F2C54224DEFB108A24DC85BFB7378EB54315F1441B7DD4DA6280D23C4EC28AAA

Function 0090B039 Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,00001000,00000040,?), ref: 0090B3C8

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e8ae591026a63cb32db82e1f0e1bb3d8e74b7f49fa105618a1ab488529890076
Instruction ID: 2974446b82395150a449dcb46f64b9e061f3f4649de829216c64954b3efe7fb2
Opcode Fuzzy Hash: e8ae591026a63cb32db82e1f0e1bb3d8e74b7f49fa105618a1ab488529890076
Instruction Fuzzy Hash: 2C419CB2E055149FF728CA14DC90AFAB379EB80304F1481B9DA1E66381E779AE818E51

Function 00927846 Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: a67c4aaac8379c43ba13a82659dafb82c721bcd7db40b2decc114491c33c9208
Instruction ID: 0d84444a0eb1fcb588627ff14324ee1f27f7fd2fd102ef60acfa6e19a5ed166f
Opcode Fuzzy Hash: a67c4aaac8379c43ba13a82659dafb82c721bcd7db40b2decc114491c33c9208
Instruction Fuzzy Hash: 5531B4B2C042699BE7208A55EC89AE7BB78EB45320F0441F6D84DA6240D6385FC5CEA2

Function 00414183 Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 8b04ebbbf99e946f062d1021a27fceecf90a2f510773073852aaf20d9f76b600
Instruction ID: 4aa9dd345d65673ae35b8cab957c95532e7913973518a568fb6600fc6e3f9187
Opcode Fuzzy Hash: 8b04ebbbf99e946f062d1021a27fceecf90a2f510773073852aaf20d9f76b600
Instruction Fuzzy Hash: 2541E471D046148FD724CF28CD94B9ABBB5EF88304F1481EAD40C5B694C6795BCA8E46

Function 0041C2F0 Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5c08fd63016c21b054a6d4b97e32bd7cdb6e1055b874df71d07cfc2cdb0edb0c
Instruction ID: 9d5b88f1c960774d4efb7aa11a6dd023ade0870204a481e5dba98c68c14b446f
Opcode Fuzzy Hash: 5c08fd63016c21b054a6d4b97e32bd7cdb6e1055b874df71d07cfc2cdb0edb0c
Instruction Fuzzy Hash: 4F31B5F2D90218AFF7148A15EC85FFB7739EBC4710F1081BAE90D56640D57D5EC28A51

Function 0090F27E Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4de23c624d467ee1e72b5406e7fee2f36504ba3b826bc5df1d6a478a068feeaa
Instruction ID: 0ea8a41090f7093469ba78b1b609d0c4b645b95e6f38507c236d0a0c4b183f9a
Opcode Fuzzy Hash: 4de23c624d467ee1e72b5406e7fee2f36504ba3b826bc5df1d6a478a068feeaa
Instruction Fuzzy Hash: B431E5F2E085189FF7288B10DC65BEBB778EB84710F1042FEE40E52680D67C5EC28A52

Function 0041C2FB Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 087af003d2c6aecd528f344c7898fca4f91eca59398a5df4cbe05b0923b8066a
Instruction ID: d09cf651d443cb215b716fd051fa4d1b5624b0e3c4e014868eb832b7ee8ef0fa
Opcode Fuzzy Hash: 087af003d2c6aecd528f344c7898fca4f91eca59398a5df4cbe05b0923b8066a
Instruction Fuzzy Hash: 8631F6F2D842586FF7208A15ECC5FEB7B39EBC0320F1481BAD94D5A240D57D5EC28A51

Function 00935E97 Relevance: 1.6, APIs: 1, Instructions: 95fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 009368AD

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 980d4f9c0594ec5e3625a330df5072e1a9a06ba0c54eef38a03e2065b36915d5
Instruction ID: 8c55034a8ab09df9a535024261e429aa3a91c72af2f14fb9f76b64f02996645f
Opcode Fuzzy Hash: 980d4f9c0594ec5e3625a330df5072e1a9a06ba0c54eef38a03e2065b36915d5
Instruction Fuzzy Hash: 4B31D1F3E15524ABF7248904DC44FE77678EB95320F0541B9E90EA6240D27D5FC58EE2

Function 00927227 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 35d2be0f3afe690cfa87839833d3bc922edd977e0f108692452067e283ec207b
Instruction ID: 0b838ccd77e0b0a5d631d13cbfd4ab2f419020208865ba27e94db0c020a40d88
Opcode Fuzzy Hash: 35d2be0f3afe690cfa87839833d3bc922edd977e0f108692452067e283ec207b
Instruction Fuzzy Hash: 4031B6B2C08538DAEB248654EC49BEBB7B8EB84311F1541FAE40E32644D67D1FC58E52

Function 004143A3 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 96559d7694a33e1b7b4efc8e3965b644090e5ae2ca5c3619efd5ac7bbfda6c6e
Instruction ID: 116aae0212982470610d8f9ad3a36960232f92fc9faf5f3fb8aca13d1b4f2768
Opcode Fuzzy Hash: 96559d7694a33e1b7b4efc8e3965b644090e5ae2ca5c3619efd5ac7bbfda6c6e
Instruction Fuzzy Hash: 4F41B231D045288FDB24CE69CE44BEAFBB5EBC8305F1081EAD40D67258C7785BC98E45

Function 004141B8 Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 2fc0eeadff207568cca7dcb4fbcef6fe7664858f449bca4b767402626a16a58a
Instruction ID: c5c19074c1bc517cfb4e99979305f2d3fbb0855d6f43c8a964ed9ea0c0c518e7
Opcode Fuzzy Hash: 2fc0eeadff207568cca7dcb4fbcef6fe7664858f449bca4b767402626a16a58a
Instruction Fuzzy Hash: 2941C371D045688FDB24CF28CD54BDABBB6EB88305F1081EAD00D67258C6795BCACE06

Function 0041B3B3 Relevance: 1.6, APIs: 1, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7f9427ee2f33c5a440c246799a95018a16772016a72100cf7cb0a27e99c90fbd
Instruction ID: 9c1a9001044c622c2f847de708c3531db389a9513c7c57bf811be2ce39cb404e
Opcode Fuzzy Hash: 7f9427ee2f33c5a440c246799a95018a16772016a72100cf7cb0a27e99c90fbd
Instruction Fuzzy Hash: 9121E5F2C54224EEFB108A24DD89BFB7668E754311F2481BBED0D95180D27C8FC69E96

Function 00414428 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: eaca00dad9ba84399146d56927ab985843105f9f20e434babf3ab1bae463e13b
Instruction ID: 787630a6ba4259c6403da4272c90618b296ca9eb70a4db4fd61ac04506f884da
Opcode Fuzzy Hash: eaca00dad9ba84399146d56927ab985843105f9f20e434babf3ab1bae463e13b
Instruction Fuzzy Hash: E3418371D045288FDB24CE69CE44BEABBB6EB88305F1482EAD00D67598C7785BC68E45

Function 0041C446 Relevance: 1.6, APIs: 1, Instructions: 88memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 86e97e1faf6b00ca9278dd765ad78635d3628a71100cc6318bcc18d34d3f025b
Instruction ID: be66c48b443587916ed005937928d5abe58e2042da19c046050b0beb7e4afe9e
Opcode Fuzzy Hash: 86e97e1faf6b00ca9278dd765ad78635d3628a71100cc6318bcc18d34d3f025b
Instruction Fuzzy Hash: 1B2120B2C84229AFFB108A20DC94BFBB729FB84310F1441FAD80D67241D2385EC1CA99

Function 004143B4 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: f8c177bf0bc4a92a67295a7be0c612f450c36cbf2b02f4136c9e627815d3e7ea
Instruction ID: 170d6e925add39181b451bff31c36bb6feb967943693711c8479eb7de1c19891
Opcode Fuzzy Hash: f8c177bf0bc4a92a67295a7be0c612f450c36cbf2b02f4136c9e627815d3e7ea
Instruction Fuzzy Hash: D931A231E045288FDB24CF69CE44BEAFBB5EB88305F1482EAD00C66258C7785BC9CE55

Function 00414132 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: b8791626b0082a9d7c61dbc4c56b5a3d76055929a220cb0c2aed3d2d602de655
Instruction ID: f48832b56edbd67bda688911a6fafdd5577ef626b60235d5dec7ba198ea9dbf0
Opcode Fuzzy Hash: b8791626b0082a9d7c61dbc4c56b5a3d76055929a220cb0c2aed3d2d602de655
Instruction Fuzzy Hash: 1131D472D045288FDB24CF18CE44BEABB75BB88309F1441EAD40CA7254C7B95FC98E46

Function 0041B44D Relevance: 1.6, APIs: 1, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5c77610562ae0228eae20f590a737f4dab55bc69e8762c6646d690f3f4b0f4ad
Instruction ID: 6f53da0b11d78231b6d6f4a5f951a4899369c68c80632bdeb73f74c5c298d02e
Opcode Fuzzy Hash: 5c77610562ae0228eae20f590a737f4dab55bc69e8762c6646d690f3f4b0f4ad
Instruction Fuzzy Hash: 1E21BFB2C54624AAFB208A20DC85BFB6668E750325F2441B7D94DA6180D67C8FC28E96

Function 0092725D Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 11cdda6e4f29b2329c5243d86f0fbf9f121a52922a52ba51477b7d2ce1393254
Instruction ID: 827c850f1017a255452258b0fc3d2e52645a2b91837b21c032494f3619b346df
Opcode Fuzzy Hash: 11cdda6e4f29b2329c5243d86f0fbf9f121a52922a52ba51477b7d2ce1393254
Instruction Fuzzy Hash: 4021D8B2D085389BE7248640EC44AEBB778FB84311F1541FAE80D36644D2795FC6CE52

Function 0093003A Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5ef102c5c952777ccb098b019105a12bab50ead88baa41ce315e2415d708a40c
Instruction ID: 92b99d2b75e2e9729a9042e883692676cac9cd2d6e4d126328261142e02c8880
Opcode Fuzzy Hash: 5ef102c5c952777ccb098b019105a12bab50ead88baa41ce315e2415d708a40c
Instruction Fuzzy Hash: D62103B1E45294AFEB214630CC65BEB7B38EBC1310F1501FAE589AA2C2C6781BC5CF11

Function 0041C4CE Relevance: 1.6, APIs: 1, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 80c91dc67fb32f82d433488fe960f91ee42225ba173d31f321c4fdf529d9f448
Instruction ID: b4a8a42af984394b528e29277132206578b59c34f1a163ca8424d3de88360327
Opcode Fuzzy Hash: 80c91dc67fb32f82d433488fe960f91ee42225ba173d31f321c4fdf529d9f448
Instruction Fuzzy Hash: C521DEB2D80229ABEB209620DC85BEB7739FB44310F1440FAD84DA7240E23C5FC18E95

Function 00926D5B Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 071e0ba2a4330bd2670d94ce3b9d03382c8e291beb9aeb1e2be9e84d50fdc96e
Instruction ID: 94de8ce1f6785a757ad520ebb71ae5e2b3b4c9daba98f043d4c5974b89478e6e
Opcode Fuzzy Hash: 071e0ba2a4330bd2670d94ce3b9d03382c8e291beb9aeb1e2be9e84d50fdc96e
Instruction Fuzzy Hash: EE21C6B2C195389BEB248A80EC85BEBB778EB84311F1541FAE80D72644D27C5FC5CE52

Function 00927D4E Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 852bc356184da13c937408f6a3ec90cd80aea761ced9d1a8c3236ac17325f98e
Instruction ID: 1046db2b5b148e29e0bb559a1ae562939e5f6800a1f5e706a16ebf03f763723b
Opcode Fuzzy Hash: 852bc356184da13c937408f6a3ec90cd80aea761ced9d1a8c3236ac17325f98e
Instruction Fuzzy Hash: FB21D6B2D085399BF7208654DC95AE7BB74EF41311F1541F6D84DA2280D6785EC1CEA2

Function 00927276 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 6526f16f95859e7ee94ae9c2885e2aff3aa3018455aa0a90f80b138e3c0bbc60
Instruction ID: 7bf2301a5416a7596ea587627c2c52d3340fec3f0a99fa5901fd43707f75ab9c
Opcode Fuzzy Hash: 6526f16f95859e7ee94ae9c2885e2aff3aa3018455aa0a90f80b138e3c0bbc60
Instruction Fuzzy Hash: 2221C9B2C04638DBE7248A80EC44AEBB778FB94311F1541FAE80D72644D2385FC5CE52

Function 00930052 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 473f7ef9b01ce703fd949d31cbb76ee2ff466edff89be1e8deba3a1158114838
Instruction ID: fba609756d92b96f84fe6b3dd7903e6df41745425c2ecb5c1cfbed15700b45d1
Opcode Fuzzy Hash: 473f7ef9b01ce703fd949d31cbb76ee2ff466edff89be1e8deba3a1158114838
Instruction Fuzzy Hash: 012126B1D05294AFE7259620CC61BEB7B78EBC1310F2541FAE589A62C2C6781FC5CF11

Function 00926EA8 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: ee5390707d3518ed124f7087bff1e3fb683fff2fc0e2d3a99e434ef75eec7224
Instruction ID: bfa5423817708da8e6adb62a7d78cc60ead980c0b4f204180f98f16a718dc0b4
Opcode Fuzzy Hash: ee5390707d3518ed124f7087bff1e3fb683fff2fc0e2d3a99e434ef75eec7224
Instruction Fuzzy Hash: 1921A4B2C045389BEB248A80EC45BEBB778EB84311F1541FAE90D72644D27C5FC58E52

Function 00926E25 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d9190cba3ba96e9024bedc3ff984d03ec3cb6d846a86afd16c8923b5393415c5
Instruction ID: e796e3641309ace17e22620f2fb77ada081cabcaefda014d84c6f66ab8e6fefa
Opcode Fuzzy Hash: d9190cba3ba96e9024bedc3ff984d03ec3cb6d846a86afd16c8923b5393415c5
Instruction Fuzzy Hash: 112196B2C055389BEB248A80EC45BEBB778EB84311F1541FAE90D76644D2785FC5CE62

Function 004141FB Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 49954132de3c07094ee499b7b3437e0d74b86a06f7189128f23b4220989fc526
Instruction ID: 58cbb210449243d3ad46e30b7af81cf0905a9e6f15068d571d836ac8cde04e56
Opcode Fuzzy Hash: 49954132de3c07094ee499b7b3437e0d74b86a06f7189128f23b4220989fc526
Instruction Fuzzy Hash: 0431B271D045688FCB28CF68CE94BDAFBB6AB88305F1081EAD00C67558C7785BC9CE46

Function 00935127 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 009368AD

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 426436f8db68228f40b69dd4ed3219267f6325ff45afaec00a4bc56e3ba3804b
Instruction ID: f6e14e4987c1413c5216fc5b1eaa62636d48edc2e5fec05411432372a295f57d
Opcode Fuzzy Hash: 426436f8db68228f40b69dd4ed3219267f6325ff45afaec00a4bc56e3ba3804b
Instruction Fuzzy Hash: 862135B3E044059FF7248614DC14BFBB778EBC4315F1582FAE54E86281C67D9AC48E91

Function 00414167 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: e5a33aefab0d4a658201acb92a5da6016c11bbb5b3e8883c2c6556af6a16f349
Instruction ID: b3ec0fa55708011be8ab682fb5598677abf9f677e3d31b49d892cd183e820624
Opcode Fuzzy Hash: e5a33aefab0d4a658201acb92a5da6016c11bbb5b3e8883c2c6556af6a16f349
Instruction Fuzzy Hash: 8C31C472D045288FDB28CE18CE54BEAFB79BB88309F1442EAD40D67254C7795BC98E46

Function 0092EE44 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00930631

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 286435bbb50076fb906b22fd5c791587cae8490bb97f698facd0da2f981f0ef6
Instruction ID: cc5b30f8266f9c4c75c8044de131a16ecd35cbd5d521b99397512d0831276d45
Opcode Fuzzy Hash: 286435bbb50076fb906b22fd5c791587cae8490bb97f698facd0da2f981f0ef6
Instruction Fuzzy Hash: 6C11E971E083686EF7258620DC65BEB7B78E782314F1111FAE559651C1C2BC1BC5CA12

Function 009272CA Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: e30166cbfb847f33f10dc9a0d1f5e295825716b22ecda471e2197bcf92a4bf90
Instruction ID: 4456b26a69a6c52f1ec4d6e0db6c1e0fc45ea5cb9c35b928fd684528567772b4
Opcode Fuzzy Hash: e30166cbfb847f33f10dc9a0d1f5e295825716b22ecda471e2197bcf92a4bf90
Instruction Fuzzy Hash: C511EBB2C0563C5BEB248A90DC85AEBB778EF44311F0042FAE54D62640D2785FC6CEA1

Function 00415368 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: fffd537b50bc22be30234d3c1970548c3f62d62aaec4d30157c9f07abb9480d9
Instruction ID: 21bb769881fb6d545dc4e2cf582016435fe674fe5678618669afce9e50332be4
Opcode Fuzzy Hash: fffd537b50bc22be30234d3c1970548c3f62d62aaec4d30157c9f07abb9480d9
Instruction Fuzzy Hash: 73316F75D05A288FDB28CF18CE94AEABB79FB98305F1081E9D40C67254C7796BC5CE44

Function 0041B49A Relevance: 1.6, APIs: 1, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 259de0db5b6fd6bd7cc189d2b32fb75b7f2b3471ca6239219715c73f6aafa49d
Instruction ID: 5af42319bfea09a23fe02515ddb0c1a57fc9b2e7178c853a166a89f33ffe5cbe
Opcode Fuzzy Hash: 259de0db5b6fd6bd7cc189d2b32fb75b7f2b3471ca6239219715c73f6aafa49d
Instruction Fuzzy Hash: FF1129F2C98614AEF7104620DD89BFB722CE754325F2441B7ED0D96180D27C5FC65A9A

Function 00414531 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 588f086301bc42b8613a801edaf6268299a3d9738604243ab604a9157250af10
Instruction ID: 49c510807b60eb2822e07266f43ee40d336899d8b8ba5be9ce473cffbd7d8c6d
Opcode Fuzzy Hash: 588f086301bc42b8613a801edaf6268299a3d9738604243ab604a9157250af10
Instruction Fuzzy Hash: 4D319435D086648FCB28CF28CE98BD9BB75AB88305F1542EAD00D67194C7795BC9CE45

Function 00414175 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 63aef3c27a6dcbbef21aa139902d1aeeef29c91b371723a8dea3f3a828165de4
Instruction ID: d1146e0852971d154727119566392c91db69529ef9053fd9789abc78be3655d5
Opcode Fuzzy Hash: 63aef3c27a6dcbbef21aa139902d1aeeef29c91b371723a8dea3f3a828165de4
Instruction Fuzzy Hash: E3318172D045288FDB28CF1CCE94BDABB75AB88309F1441EAD40DA7254C7B95BC98E45

Function 009301C4 Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00930631

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 294e74a8505973351756a1cf8f0102c9b1fa671fdd0dc04da5d69149d6855ac7
Instruction ID: a61e6d4fd04fe31d042face194e64108c7d3c4e342fdc72f4b80ddfec132761e
Opcode Fuzzy Hash: 294e74a8505973351756a1cf8f0102c9b1fa671fdd0dc04da5d69149d6855ac7
Instruction Fuzzy Hash: 491104B19052986FF7228720CD25FFB3B39EBC1310F1042E9E588A61C6C2741BC68F61

Function 009272B1 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 7eb476148465c7f3ea511d81fd962fc0e80fcbef7f934ff6cb3c3b581005804a
Instruction ID: e9aebea329d254fa759e718e60c36321ffbd07d327fef8a73990c93ef7414f3f
Opcode Fuzzy Hash: 7eb476148465c7f3ea511d81fd962fc0e80fcbef7f934ff6cb3c3b581005804a
Instruction Fuzzy Hash: B51129B2C046389BE7248690EC54AEBBB78EF44310F0541FAE84D62644D2395FC5CE52

Function 00414489 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 1a140839b2206c035e0c9caff8f865aeb95db792c3a4da02e0c9616e15febd99
Instruction ID: 05649ab263e6e927e73eec75f55cdade34765d7516b142371889ee9e572bca1a
Opcode Fuzzy Hash: 1a140839b2206c035e0c9caff8f865aeb95db792c3a4da02e0c9616e15febd99
Instruction Fuzzy Hash: D4318271D045288FDB28CE2DCE44ADAFBB5EB88305F1481EAD00D67658C7795BC9CE45

Function 009269B5 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 3a7094f511edf89e9aa52eec18bc2f961a147243dd10debba773007dac8d76dc
Instruction ID: bb2de6384edd7aaabd5fdebe02834e0c0a89a13548baae09fd62d70027b969ae
Opcode Fuzzy Hash: 3a7094f511edf89e9aa52eec18bc2f961a147243dd10debba773007dac8d76dc
Instruction Fuzzy Hash: C61104B2C056A85FE7204651DC45BD67B79DF81310F0541F2C84C66195C1786ECACFA2

Function 0041E9E4 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(D7402EF8), ref: 0041EB1A

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 3e1768d45e2e46194e9bf9f9893c900781775049a40accb1a001e2b2b6d744bb
Instruction ID: d8a2eff88b74671ee8be78405892aa35910b2fa02a1bec7ebbd6c9c57302a9eb
Opcode Fuzzy Hash: 3e1768d45e2e46194e9bf9f9893c900781775049a40accb1a001e2b2b6d744bb
Instruction Fuzzy Hash: E121C275E041598FEB24CB65DCD46EEBB70BF85345F2441EAC86917281C2381AC5CE05

Function 0093A9D4 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,39335C83,?,00000000), ref: 0093AACA

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: f7031d6038f35a0e0f63b90f1021d9fd54d0399181d4eacf800700310aed3e30
Instruction ID: ba7293e5bf6bccf3fa162657f8e1ce5389fff9d85a8616ede66241b9f3dedd52
Opcode Fuzzy Hash: f7031d6038f35a0e0f63b90f1021d9fd54d0399181d4eacf800700310aed3e30
Instruction Fuzzy Hash: 7E11D3B2C055189FEB20CA14CD91BABBBB5EF40312F1482EAE84997281D6395E94CF52

Function 0093008A Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: abb34a87a6320760f8e9ef98ff727c522c87b87e0c34628d138609342a3b6fed
Instruction ID: 5e8c441cd927250b997cbc26daecc74f2bdc414965abeabe14c8a9b6f9bbd0d7
Opcode Fuzzy Hash: abb34a87a6320760f8e9ef98ff727c522c87b87e0c34628d138609342a3b6fed
Instruction Fuzzy Hash: 3011E7B1D056986FDB219B20CC61BEB7B34ABC1310F1105EBD589A62C2C6741FC5CF10

Function 0041421A Relevance: 1.6, APIs: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 5084487c1bea1109eec6d5f5d9948dedc8079a88211566eef2eed86633aabf16
Instruction ID: d6d5769e93a8c9cd52ac2ad9dcde85ad284d2dac803e3b132b7bcc7469727fb3
Opcode Fuzzy Hash: 5084487c1bea1109eec6d5f5d9948dedc8079a88211566eef2eed86633aabf16
Instruction Fuzzy Hash: B3217171D045288FDB28CF18CE84BDAFBB5AB88309F1581EAD00D67258C7B95BC98E45

Function 0041B552 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 83e2e4ad383e4afa489dfc4e2cb96589c3001f722bd055590bf81d01202b4cc5
Instruction ID: a850253ff0dbd4349ebab1a360f3da01b656d18c2b1874bc2c1f28f3f955c30a
Opcode Fuzzy Hash: 83e2e4ad383e4afa489dfc4e2cb96589c3001f722bd055590bf81d01202b4cc5
Instruction Fuzzy Hash: FB112BF2848250AEF7108620DC9ABFB7778EB50315F2440BBD94D99081C67C4FC68F5A

Function 009350EA Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 891ffd35cbd1485c54bc83f321f0162f0fc186c21752f18b14b2e8d0fa493192
Instruction ID: 3df1c509c31ec81d2112117b3ca52857f24f415221e4ec6a9613de45587494e5
Opcode Fuzzy Hash: 891ffd35cbd1485c54bc83f321f0162f0fc186c21752f18b14b2e8d0fa493192
Instruction Fuzzy Hash: 09014CF2904405ABF7188604DC55BFB73A8EB95312F0046FEE60A96180D6BD5EC48ED2

Function 0041C862 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ae63c5e048257067f3039b6b756ea3c59987e09f916fa158ceb6cb2ecfc5f1ac
Instruction ID: e858660d510e690c2047beaeef7fdd18c3cd5906502f33c8ff84e4139ec550f7
Opcode Fuzzy Hash: ae63c5e048257067f3039b6b756ea3c59987e09f916fa158ceb6cb2ecfc5f1ac
Instruction Fuzzy Hash: C711ECB2C94218AEE7108A24EDC8BEF7679FB44714F1081B6E909A1580C63D8FC59B45

Function 0041C869 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5d06fe31072f73db7e5db8156dcd5d6a683aef41863dccfe8814adc02f562b47
Instruction ID: 8c6524c0a6b907e5bf9f1507986ee31cd24442be3ee6fb2aa89a94f501fa2c04
Opcode Fuzzy Hash: 5d06fe31072f73db7e5db8156dcd5d6a683aef41863dccfe8814adc02f562b47
Instruction Fuzzy Hash: 7D11ECB2C94219AEEB108A20DD88BEB7B79FB48310F1081B6D808A6584D63D8FC58B45

Function 009269C7 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 6432c8318c6c31d735ccae393ef13977569b52f5fd1d5cea3a4b4cf10df1951f
Instruction ID: 1bcf85ec8df39aaa9a0a448d3211382a68b842d50b5be1551cd48ad92ed1deea
Opcode Fuzzy Hash: 6432c8318c6c31d735ccae393ef13977569b52f5fd1d5cea3a4b4cf10df1951f
Instruction Fuzzy Hash: 861108B2D046785BF7204A52DC49BD7BB799F90320F0581F6D80C22544C6B86ECACEA2

Function 00926745 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: b045d057c2fc95598acea5fd6ce7c7dacc7c5efa29f601d2f1507b584ecb0121
Instruction ID: 041f0431940336af92682a8c3994b40da77e0f904aa08eb69281adc0bea31f91
Opcode Fuzzy Hash: b045d057c2fc95598acea5fd6ce7c7dacc7c5efa29f601d2f1507b584ecb0121
Instruction Fuzzy Hash: A40184B3D046786AF7204A52EC49BD77B69DB50321F0545B6D80D62284C1BD6FCA8EA2

Function 00926A64 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: bbe8450253977bca0c062904586e0d32b2b2549ffbc811a1b10c1af19117d04b
Instruction ID: 3f4a251f04576606060229a3c62f2168808393bf79350f2e6ee5f67a1a7b0228
Opcode Fuzzy Hash: bbe8450253977bca0c062904586e0d32b2b2549ffbc811a1b10c1af19117d04b
Instruction Fuzzy Hash: A511E9B2C056789BE7208A52DC897D67B789F40311F0641F6D40C26145D2BD6ACACF92

Function 009353FB Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 009368AD

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1d8ff8e38f1ca72b150a6505b033f3631655489fae71bf2ab9a7ce8e8300d3cd
Instruction ID: 2f4d0cbef272dc60df17bd749d2c57412aa16e5f81255034a27b0549e83c7d43
Opcode Fuzzy Hash: 1d8ff8e38f1ca72b150a6505b033f3631655489fae71bf2ab9a7ce8e8300d3cd
Instruction Fuzzy Hash: D201B5F2A45005AFE7288504DC55FFBB36CEB84311F0442BDE90A96240D6796EC48E92

Function 00415458 Relevance: 1.6, APIs: 1, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 16e25ef2f5c207c25ebcb1c6859400c07d849e0ef597ca9e94788e442c49c3f7
Instruction ID: 1c36b401c951dc3e23cd11d60758ee6411a8f8dca43621f9a16ef411bebbc5d0
Opcode Fuzzy Hash: 16e25ef2f5c207c25ebcb1c6859400c07d849e0ef597ca9e94788e442c49c3f7
Instruction Fuzzy Hash: B1215175D046288FCB28CF18CE84AE9FB75EB88305F1481E9D00DA7254C7755BC5CE45

Function 0092F189 Relevance: 1.6, APIs: 1, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00930631

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f26637d0e53abb5c6a72f9583c64871bb17940e0889995a4a49f46e5f35177b0
Instruction ID: e540570a596facb682a20bfe8a4d952c44d9e887c8b0d419202479587711249e
Opcode Fuzzy Hash: f26637d0e53abb5c6a72f9583c64871bb17940e0889995a4a49f46e5f35177b0
Instruction Fuzzy Hash: 6B11F970D0C3549EE7294620DD66BF77B38E742314F1146FBE65A650C1C6B81BD48B12

Function 0092EE8A Relevance: 1.6, APIs: 1, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00930631

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0e64c9a066431770c1e538538201def131590c881ba035a83644e2ce619d83c8
Instruction ID: 3c08126114716a5acf8ca33620c6244e47f58411966e7fccbcd5d8b421e3173d
Opcode Fuzzy Hash: 0e64c9a066431770c1e538538201def131590c881ba035a83644e2ce619d83c8
Instruction Fuzzy Hash: 9001B5719083A8AEE7254630DCA5BE77A38E742714F1102FBE699650C2C2B91BC4CB12

Function 0041EA27 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(D7402EF8), ref: 0041EB1A

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 284590203c9d4f6344e038b83bb4d3846814b2dd1e6acbd3fb5fb093bbdfbc72
Instruction ID: 0ece2404e48273a56849b7ff2f4b1e463a8c4d99babb6272a85de91f86cbe634
Opcode Fuzzy Hash: 284590203c9d4f6344e038b83bb4d3846814b2dd1e6acbd3fb5fb093bbdfbc72
Instruction Fuzzy Hash: 0A1125B6E041589EF724C662DCD86EF7774FF84315F2441FBC85912281C2382EC18E06

Function 009269D6 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 3a7fe09157d59cbe24c9704b448c8dc8aceb320caa815f45c81c60bafdeb5ce1
Instruction ID: 46d9cf220f16f173843230f45db5d11c70def3786b9a7f606824bfbd3770f1c0
Opcode Fuzzy Hash: 3a7fe09157d59cbe24c9704b448c8dc8aceb320caa815f45c81c60bafdeb5ce1
Instruction Fuzzy Hash: 0901B9B2D046785BE7304A42DC49BD7BB799F50321F0581F6D80C22244D2BD2FCACEA2

Function 009266C5 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 72e2da79b3d842b9e8d3967fa43727c636bbf3f067c7f81f9bf641e89d1818a8
Instruction ID: 42bd1598685f2c8bfe81438ebd909425a1e77f021a838633762f4e317ca459f4
Opcode Fuzzy Hash: 72e2da79b3d842b9e8d3967fa43727c636bbf3f067c7f81f9bf641e89d1818a8
Instruction Fuzzy Hash: A30175B2D056785BF7304A52DC49BD7BA799B50321F0641F6D84D22184D2BD2ECACEA2

Function 0041587D Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: e6c544a69d2f7ed5de0680eb67c04cae5e6c445befbcf0c8994afd5a68814ab7
Instruction ID: 102379f3035811a6756246d7f6391455c2bf76d8c1dc0ab62493bf3e046c72f9
Opcode Fuzzy Hash: e6c544a69d2f7ed5de0680eb67c04cae5e6c445befbcf0c8994afd5a68814ab7
Instruction Fuzzy Hash: 67213C35905A298FCB28DF18CE84AE9FBB5AB88309F1482DAD00D67258C3755BC9CE45

Function 00415884 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 0c74814c970419d156efc63e33d7b344ec1c4089b94414aaddd3c884600bd64f
Instruction ID: 002924edb34e52c9dab2aec6c4ffb8fac8ca7b952bfafdbc8fd8adddb1d7976c
Opcode Fuzzy Hash: 0c74814c970419d156efc63e33d7b344ec1c4089b94414aaddd3c884600bd64f
Instruction Fuzzy Hash: CC213E35905A698FCB28DF18CE84AD9FBB5AB8C309F1485DAD00DA7254C3755BC4CF45

Function 00415891 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 05f1f2fa0499858905858a0dd537e5be070f9e021ade29bd6cfe6b78e001970e
Instruction ID: 130b5d472fde69285e2727f2d63a57f746d3093453fdec85d424b2d563f4634f
Opcode Fuzzy Hash: 05f1f2fa0499858905858a0dd537e5be070f9e021ade29bd6cfe6b78e001970e
Instruction Fuzzy Hash: 97211D35D05A298FCB28DF18CE84AA9FBB5EB8830AF1482DA900D67258C7755BC5CE45

Function 009305B3 Relevance: 1.5, APIs: 1, Instructions: 46fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00930631

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a95b43a8b28202706e2d5482095ed353b03a61a8c607c4b6129fdc3137bea5d6
Instruction ID: 19895ded6bd71eff3b2970273aaf801949e0c8001bcf1f35fc41f42fb46c1122
Opcode Fuzzy Hash: a95b43a8b28202706e2d5482095ed353b03a61a8c607c4b6129fdc3137bea5d6
Instruction Fuzzy Hash: 7901D8B2E443946FFB218630DD25BE77B39ABD1310F1502EAE548A61C3C2B94B858F15

Function 0093AA24 Relevance: 1.5, APIs: 1, Instructions: 46fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,39335C83,?,00000000), ref: 0093AACA

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 2833f676f110f3bf7f383ea34c08a2f7570ad2e212116b6a2f8b14ddbc6fbdca
Instruction ID: ee3297bdfe996d111cb1017c7334c8e0e0c1af04fdd3c37a79ea258932a6a31c
Opcode Fuzzy Hash: 2833f676f110f3bf7f383ea34c08a2f7570ad2e212116b6a2f8b14ddbc6fbdca
Instruction Fuzzy Hash: 1201B5B2C055189AFB20CA05DE80BBBB775EB40311F1081FAE80D96240E6391E94CE52

Function 009300BF Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e665449f3481df5b4cabe8df88a87caa9c2090206978756f400df04b9234ae23
Instruction ID: b0058c95bf48232a3ffb62530c5bd3f0ee4d5fc4103536ddc211a8950cd49441
Opcode Fuzzy Hash: e665449f3481df5b4cabe8df88a87caa9c2090206978756f400df04b9234ae23
Instruction Fuzzy Hash: 5501D4709463946FDB269B308D61BEA7B34AB82710F1501DAD584AA2D3C6705F85CF10

Function 004154F2 Relevance: 1.5, APIs: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 12837074adf44fb41b341c8af6b05101f35c149c12e54fa078bab54908b02e58
Instruction ID: fd01c687d2eb289cdd0abbbc3f1bc05a0c3dd0f4319cae37e76a57b1434755dc
Opcode Fuzzy Hash: 12837074adf44fb41b341c8af6b05101f35c149c12e54fa078bab54908b02e58
Instruction Fuzzy Hash: 76210C759056298FCB28CF18CE94A99FBB5BB88309F1481D9D40DA7258C7756BC4CE44

Function 00927901 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: b028ff3682295579ce617f9272c86a63c133fe1d8cbe995d194579a2eebeb533
Instruction ID: eea5299ed971ea09eff50258f026aa3402185aa44c9a2192588ec00cf1afd48b
Opcode Fuzzy Hash: b028ff3682295579ce617f9272c86a63c133fe1d8cbe995d194579a2eebeb533
Instruction Fuzzy Hash: 6F01A2B1C096789BE7348B51AC45AD7BB78DB44311F0142FAD44D62240D6781FC6CEA1

Function 00930168 Relevance: 1.5, APIs: 1, Instructions: 44fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00930631

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2c6c0187c35e8d956e9bcbb30284187eaca78b0c004bf18b294f518cf0b1f9c6
Instruction ID: 3b1e0f745da4719362c2c379179668cf994aa8ef91b10971c66ddbafe8a69dba
Opcode Fuzzy Hash: 2c6c0187c35e8d956e9bcbb30284187eaca78b0c004bf18b294f518cf0b1f9c6
Instruction Fuzzy Hash: E501D4B19443986FEB614630DCA1BE73B38DB81314F0405EAE544E52C2C2755BD08F61

Function 008F51BF Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d464a7c766b595da835da45c709fd0e4f31d3a28975c46660ec67d15306194af
Instruction ID: 78e80610f948111eca96823b932c94fa5f327cd7b0cac9d21f2d6ca7f7dbb13d
Opcode Fuzzy Hash: d464a7c766b595da835da45c709fd0e4f31d3a28975c46660ec67d15306194af
Instruction Fuzzy Hash: E301F9F3D126109FF7244A60DC91BFB766CDBC0315F1844B9A60E551C2E67E5AC08A51

Function 00414DC3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 7b37c2306635ce479f0258e8ec98b0f4f5cb4abee1fb6af909992396b93dc901
Instruction ID: b884804259e124b0de48f1445b5f5848933518517e0bf29dc385ab4250d7d561
Opcode Fuzzy Hash: 7b37c2306635ce479f0258e8ec98b0f4f5cb4abee1fb6af909992396b93dc901
Instruction Fuzzy Hash: BB214F35904A298FCB28CF5CCE94A99FBB5FB8830AF1482D9D00D67254C7B56BC88E44

Function 00935104 Relevance: 1.5, APIs: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 009368AD

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 4faf9b94901eb3323e9efb52101748d508f2feaff0950fb1bc8a5752ad186c40
Instruction ID: abb6d209eb5792968dbdf0293121c1644d2f14e650eb3c955505b1382a1fe440
Opcode Fuzzy Hash: 4faf9b94901eb3323e9efb52101748d508f2feaff0950fb1bc8a5752ad186c40
Instruction Fuzzy Hash: D001A9F2A444159BE728C504DC15FF773ACEB94315F0442FEEA0A96140D6795ED48E92

Function 0041457A Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 66bb73d4853e0cfd11bce03c0ae37fa927d1758748597fe9739d080facadaf77
Instruction ID: 15dc8cf2646a8b9a46b8774527ca9ffc6126ee3136000852301462eda88ddf43
Opcode Fuzzy Hash: 66bb73d4853e0cfd11bce03c0ae37fa927d1758748597fe9739d080facadaf77
Instruction Fuzzy Hash: 972130359045288FCB28CF18CE94A99FBB5BB88309F1481D9D00D67254C7B55BC98E44

Function 009278FC Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 1adeff401dfe2875c3e45ddba2f15ce09b0cb21beac3a508f0d0bf5acf32cd45
Instruction ID: c7f05a4fff7ce5bcc97bdc301b250e6fc816e5ea09f60fc95014a851955d5812
Opcode Fuzzy Hash: 1adeff401dfe2875c3e45ddba2f15ce09b0cb21beac3a508f0d0bf5acf32cd45
Instruction Fuzzy Hash: D20186B1C096389BE7348B41EC499D7BB78DB44311F0141FAD40D62240D6791FC6CEA2

Function 00927A46 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: ae852570922ff721b190a9f4d5fbc998a96d6e43aba75d04e3a8d6f81e76ea1e
Instruction ID: fcbee8f969cc79ab8cf74a489b33c5732795d45912016b031dffe99e9ba39624
Opcode Fuzzy Hash: ae852570922ff721b190a9f4d5fbc998a96d6e43aba75d04e3a8d6f81e76ea1e
Instruction Fuzzy Hash: B501D6B1C056289BE7208B41DC85AD7BB79EB80310F1541F6D40D23340E2781FC6CE62

Function 0092FAD4 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 836f9395f442052a780f0c0ecee08fe7e5f232a074e147f1028c9cad26efc8e5
Instruction ID: 0349fc33b981995ce8b5d324ff0e3e918d4b9bb75e812897729c2326c2efe9bd
Opcode Fuzzy Hash: 836f9395f442052a780f0c0ecee08fe7e5f232a074e147f1028c9cad26efc8e5
Instruction Fuzzy Hash: 02012D709483E46FD72197305C65BEB3B74AB42304F3106EAE185A90C3D2B54785DF21

Function 0092FADF Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7b05f504a742aa2f562cf1cd8b6236f6d89b506ae19ab8df8c3b68079ac7350e
Instruction ID: a551c4e3edd4c802aa378a715077420415fbdcc14d3c87fa4af8c247d00de97f
Opcode Fuzzy Hash: 7b05f504a742aa2f562cf1cd8b6236f6d89b506ae19ab8df8c3b68079ac7350e
Instruction Fuzzy Hash: 8F01C8709487E86FD7219B308CA5BEA3B74AB82714F2103DAE185A90D3C2B54785DB65

Function 0092FADA Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b6cd144d091ec84b0201f2d2d1e49fe604a71f7fa981eb158348ea9a69cc5b6e
Instruction ID: 2e800b48e2405c507fa75b8e5b3fb0a31165b54860553e67bd46ff6abdfad87a
Opcode Fuzzy Hash: b6cd144d091ec84b0201f2d2d1e49fe604a71f7fa981eb158348ea9a69cc5b6e
Instruction Fuzzy Hash: E40128709483E46EDB2197308C65BEA3F74AF82704F2116EAE1C5A90C3D2B54785DF21

Function 00902FC5 Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,?), ref: 0090350E

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e5362b341ebd38e74437f79b28858fd85c6ee4339fde20c519bf8302afbf22b4
Instruction ID: 4a2058c084fe15efb2389672fba5298a27058d9ef44cde77c2181e30bc4fa39d
Opcode Fuzzy Hash: e5362b341ebd38e74437f79b28858fd85c6ee4339fde20c519bf8302afbf22b4
Instruction Fuzzy Hash: 9DF0CDB2E0A43A8BEB208A49DC05AE7F7B8DB44325F1001F5EC0DA3350D9395EC18EC1

Function 0041C493 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ec11059d26b7692d4fa61c9163542e45d31aee0c8853dcbcf829fb0dfedf9589
Instruction ID: aaaf57848a4f69a74df0af8c6dc8587d1bcd015f373546b64ed740064c1f1fc6
Opcode Fuzzy Hash: ec11059d26b7692d4fa61c9163542e45d31aee0c8853dcbcf829fb0dfedf9589
Instruction Fuzzy Hash: 36F062F2C94215ABE7109624DCC5BEBB774FB08754F1040B6E90DA6240D6785FC18F55

Function 009279CF Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00927E67

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: c88e05f3810d5f0c2a7015b7038805f1f0c157094d991e73f38c3bd76390b611
Instruction ID: 58a5b3f4d08e437b939d39ab59cb1fc8894c46fdf1957a98d23ba760153cb523
Opcode Fuzzy Hash: c88e05f3810d5f0c2a7015b7038805f1f0c157094d991e73f38c3bd76390b611
Instruction Fuzzy Hash: 0BF062B1C0563D9BEB309B41DC85AD6BB78EB04310F0141FAD80D62240D6745FC5CFA2

Function 009300D8 Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00930631

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: bf75bbdce0d22473bf47551c1c650ba3579d1a90148a2f1473785b6d3a5ef229
Instruction ID: 8d43e0258a582611154e995a9db376bf4457b03417382ee76bc5f912921d0deb
Opcode Fuzzy Hash: bf75bbdce0d22473bf47551c1c650ba3579d1a90148a2f1473785b6d3a5ef229
Instruction Fuzzy Hash: 78F096B0D453985FEB2687208D65BEA7B34AB81710F1506DAE549BA2C2C2B11FC4DF11

Function 0041EA8B Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 0ecfbaec0acbfba2d74faba536cab58ca65d7a9c4cf515ee0c2fdc669570c261
Instruction ID: 4102c378c0a365c891508939056204c61bb57569964f9346421ce577959659dd
Opcode Fuzzy Hash: 0ecfbaec0acbfba2d74faba536cab58ca65d7a9c4cf515ee0c2fdc669570c261
Instruction Fuzzy Hash: C8F0C2B5C8429A9EF7218B55DC897EA7734FF40314F2401FAD84916241D7392EDACE06

Function 00930104 Relevance: 1.5, APIs: 1, Instructions: 31fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00930631

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 00beb67a97108ea359878560e3730f28e2be047d98630dba58de2503917f3169
Instruction ID: 00c52599ae566475032d00617cb103451fbe6f4de3aea4ae26af9b93eab069f6
Opcode Fuzzy Hash: 00beb67a97108ea359878560e3730f28e2be047d98630dba58de2503917f3169
Instruction Fuzzy Hash: 89F096709453985FEB2687208D65BEA7B34AB81710F1102DAE544BA1C2C2B01FC0DF10

Function 0092FAF2 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00930631

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b806c9c0cbc18e3930c52b3aa662b7dd8fd8a640d1d2b56ed38f339c56b9e66f
Instruction ID: 611eebdcecd240fd9ec0f53173cae0579e10c997c7bba96996124601fb6494e3
Opcode Fuzzy Hash: b806c9c0cbc18e3930c52b3aa662b7dd8fd8a640d1d2b56ed38f339c56b9e66f
Instruction Fuzzy Hash: A5F0A7709483986EEB6157305C26BEB3B34AB81714F1506D6F584B90C3C2B55BC49F65

Function 0090F13D Relevance: 1.5, APIs: 1, Instructions: 27injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0090FCA9

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: bc7f8452d28c517886493e313f956477686baa4d26bbaee6a2dcabb82df77f95
Instruction ID: aa9ad4db2c130b065a3b15dd2c7393ed0ad8d91620982eecfcca500b554d8430
Opcode Fuzzy Hash: bc7f8452d28c517886493e313f956477686baa4d26bbaee6a2dcabb82df77f95
Instruction Fuzzy Hash: 6BF0F8B2A0D128DBEB30CB54DC54BEAB3B8AB48740F1046D9A80D92241DB35AED19F91

Function 0041EAA1 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(D7402EF8), ref: 0041EB1A

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: a6d9dfd96aef1864b4077983a3253ad495e879bb8af6e179c4899c44d1ba5181
Instruction ID: 9e7a694e95cb7da723a5a1da34a3a83035f5137b9c701cac9cbe5ad93f0f23d3
Opcode Fuzzy Hash: a6d9dfd96aef1864b4077983a3253ad495e879bb8af6e179c4899c44d1ba5181
Instruction Fuzzy Hash: 30F08CB9D44259DEEB208A11DCCC7EA7334FB84311F2401B6D81A26280C6382EC99E0A

Function 0093A6A6 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,39335C83,?,00000000), ref: 0093AACA

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 86a55c5524a0fbf7a74c6e597a3e7af88a011291529ffd19e39e88275a4973b1
Instruction ID: a35198dbc36afa5c5183583be9dd76d8efee0ab2fd65c6a5edc6aeee3fc4ae83
Opcode Fuzzy Hash: 86a55c5524a0fbf7a74c6e597a3e7af88a011291529ffd19e39e88275a4973b1
Instruction Fuzzy Hash: 2DE06DB1D496189FDB24CA01CE81BBAF3B4FB44202F5041E9A80EA3300E6365E90CF82

Function 0041EAC7 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(D7402EF8), ref: 0041EB1A

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 4b484ffa76752736d07f725a78da4f3f7c162ab2d24ef284ea40f4e7fef7f12a
Instruction ID: 53eeac8963da1a15ae9944b41a9808fbc2383cd4a62e39abba7d4ab5ff02253c
Opcode Fuzzy Hash: 4b484ffa76752736d07f725a78da4f3f7c162ab2d24ef284ea40f4e7fef7f12a
Instruction Fuzzy Hash: D5E04F759452A88EDB21CB55CC985DFB730FB84340F2146F6D84A56691C6342EC18E45

Function 00927F99 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00927A00,00927E9C,?,?,?,00927A00,?,?,?), ref: 00927FB2

Memory Dump Source

Source File: 00000000.00000002.1520846477.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 01ed0c64d1628c405980cc92b5268ba959d8bec227148320baeb35d6de935af7
Instruction ID: 3f6cb9ab2be96952f19cd078f63a4cff856ad7df096d010f32dd26f8941290d5
Opcode Fuzzy Hash: 01ed0c64d1628c405980cc92b5268ba959d8bec227148320baeb35d6de935af7
Instruction Fuzzy Hash: 14E04FB0C046684BEB28CB80CC456F9B734EB50310F0441DAE54962645D6755AC5CE51

Function 0041EAE0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(D7402EF8), ref: 0041EB1A

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 49c345a571e3be6f7da75dc14c5c971a0d93ddaa0bc72571f9b98773a8c2832f
Instruction ID: fa1699ddebaefca88b04a53868e20f570e70ea1e2e9c46d79a4dfe0b0b0f78b8
Opcode Fuzzy Hash: 49c345a571e3be6f7da75dc14c5c971a0d93ddaa0bc72571f9b98773a8c2832f
Instruction Fuzzy Hash: 92D06775D455688FC756CA81CC496D8B770BB99302F2005D6C44A66751D6302AC19E45

Function 008F5759 Relevance: 1.4, APIs: 1, Instructions: 194memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 008F68B4

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6874c0f5f910c48b9f377f771b08c1003916a2a7fa2e456aecf83be218bf2615
Instruction ID: 180f40408c241024dae0cf62937dee4c851c1fbc3b60fd88749657d7a85fa643
Opcode Fuzzy Hash: 6874c0f5f910c48b9f377f771b08c1003916a2a7fa2e456aecf83be218bf2615
Instruction Fuzzy Hash: 1571C2B1E0452C9FE7208A24DC49BFAB779FB81314F1441F9DA49DA680E6789EC5CF12

Function 008F5B1C Relevance: 1.4, APIs: 1, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a509c7ecda87a232ba2b64e6dd4ca50396250fb463e466bfcc59a9914a99d0b1
Instruction ID: a600e51f31feef5295229230dcc3ce95b2bc4d98f3512809497dbdfaa1e0d07f
Opcode Fuzzy Hash: a509c7ecda87a232ba2b64e6dd4ca50396250fb463e466bfcc59a9914a99d0b1
Instruction Fuzzy Hash: 8271EFB1E0456C9FEB248B24DC94BFA7776FF82319F1841E9D64DA6240DA794EC0CE01

Function 008F6659 Relevance: 1.4, APIs: 1, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 008F68B4

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9e89ec0e7dd316c5e2ff7afc682c522f537dba450b69f5fac28b4c7c74478f03
Instruction ID: 488fc6110da3e810e0a7d639f47dafb655f88e2ed996c8431687fb2cb399e05d
Opcode Fuzzy Hash: 9e89ec0e7dd316c5e2ff7afc682c522f537dba450b69f5fac28b4c7c74478f03
Instruction Fuzzy Hash: 7251E270A0412D8FEB24CB20CC957FABB75FB42309F1882EEC64A96145E6385ED0CF42

Function 0041A4E3 Relevance: 1.4, APIs: 1, Instructions: 161memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0041A765

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 06a61e69d04b37221295af2c4ad9485268b36de450e7d0959f44e347b7a98932
Instruction ID: 3d81ff04424be14c48b57625c950b00db357e467a1b15672939b08afbc1fec3e
Opcode Fuzzy Hash: 06a61e69d04b37221295af2c4ad9485268b36de450e7d0959f44e347b7a98932
Instruction Fuzzy Hash: D85103B2E051559BE7108A14CC94AFF777AEB82311F2880BBDC4D9A640D63C9ED28A42

Function 008F6503 Relevance: 1.4, APIs: 1, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 008F68B4

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 49618e66abfa8f2086e12feedc8a496c5dd9ed24b70c587651337dd0609aacfd
Instruction ID: 48a07217a7b58c8f57b198e20e749e2321a0f742e60bf2dce8e8e99a9a64238a
Opcode Fuzzy Hash: 49618e66abfa8f2086e12feedc8a496c5dd9ed24b70c587651337dd0609aacfd
Instruction Fuzzy Hash: 39519CB1E441299FEB24CB14DC85BEABBB5FF85300F0441E9D94DA6282D7789ED1CE41

Function 008F5C4E Relevance: 1.4, APIs: 1, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 008F68B4

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d50615baf585f498bbe5242710424a956d7a71443f3cd7fbd97bcaf625262d9d
Instruction ID: 85c3a2eca8cb602b2868fa693d9450b3fb2a18350ec4254f16984eb13cee1153
Opcode Fuzzy Hash: d50615baf585f498bbe5242710424a956d7a71443f3cd7fbd97bcaf625262d9d
Instruction Fuzzy Hash: AE41A1B2E0552C9FE7248A14DC59BFA7679FB81318F0840FAD64D96280E7B94FC48E42

Function 00419407 Relevance: 1.4, APIs: 1, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0041A765

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b7d2213f06332f7a0a61e03ef2949af1ed4cd01500d0c6b28b4b0d5c143cfd36
Instruction ID: 210502c76941dbec5fb3054a4451f716325695ce09277e0969f745675bfb7826
Opcode Fuzzy Hash: b7d2213f06332f7a0a61e03ef2949af1ed4cd01500d0c6b28b4b0d5c143cfd36
Instruction Fuzzy Hash: 043158B2C041949FF3209A20DD4CBEB3A68EF81314F2844F7E849962C1D2BD4ED6CA57

Function 008F637F Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 008F68B4

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ce97060a32973f93f9467e06ade7d49fe6745fd3a6c87e0a4ce87889c7d7b2d1
Instruction ID: 8ed26f060df5e6f2663143543ced54276c41f188f008070430f1a00747a2fd59
Opcode Fuzzy Hash: ce97060a32973f93f9467e06ade7d49fe6745fd3a6c87e0a4ce87889c7d7b2d1
Instruction Fuzzy Hash: A241DEB0E4512D9FFB248B24CC49BFABA79FB91304F1042F9D54D96281D6B85ED1CE41

Function 008F67C4 Relevance: 1.4, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 008F68B4

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 907c32b54d530066ccdc700a404bd0125b8112fc6ff0f3931a97be4fa41bb1dd
Instruction ID: 689012e7989bcb27511818f72974501e7f4858ad675787a517e89c3e576c06f7
Opcode Fuzzy Hash: 907c32b54d530066ccdc700a404bd0125b8112fc6ff0f3931a97be4fa41bb1dd
Instruction Fuzzy Hash: D741A170A0916D8FEB248B24CC997FAB7B4FB42315F1442E9D5899A181D7785ED0CF02

Function 008F5784 Relevance: 1.3, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 008F68B4

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b63f37dce359e32c705f34230a50e65cd9e4e936fb149e3664a9294293441f0e
Instruction ID: 5c6c58312c67d6f64b987274f795f163802a7709cc2ee9c5ad1d25f3ad3c7a01
Opcode Fuzzy Hash: b63f37dce359e32c705f34230a50e65cd9e4e936fb149e3664a9294293441f0e
Instruction Fuzzy Hash: 6A3180B1E1512C9FEB249A24DC597FA7679FF81304F1841F9D64D96280E7B85EC08F02

Function 0041A41D Relevance: 1.3, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0041A765

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 29080d96b95a6c36101a227888c6101e968bc040e2918fe26203054658d55746
Instruction ID: d570770a524d128368dbe623f5d9a5287152d361d6ed24f1753d7f1ecad7c6b4
Opcode Fuzzy Hash: 29080d96b95a6c36101a227888c6101e968bc040e2918fe26203054658d55746
Instruction Fuzzy Hash: A831AFB2D041559FE7208A14DD89BFBB778EB84310F2440B7EC0DA7680D6789EC68A56

Function 008F58D2 Relevance: 1.3, APIs: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 008F68B4

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6427ad70b8a6e71b14d44b891e10573e21b0c0d1206dcf283a2e2005312295e6
Instruction ID: c32db67ff743222b9c7256c0bfbd884225296f3defad5ad7bcfbc7fd8a2ccf3a
Opcode Fuzzy Hash: 6427ad70b8a6e71b14d44b891e10573e21b0c0d1206dcf283a2e2005312295e6
Instruction Fuzzy Hash: 6B3192B1E1552C8FEB248A14DC497FA7679FF91304F1441FAD64D96280E6B85EC1CF02

Function 008F680B Relevance: 1.3, APIs: 1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c5e23b887a73ba4463e5d6b2aa0441aa84304a7c0074681eaa96e7a314029b58
Instruction ID: a4891003f5b930495f5483d3803cd1c2d5d802719cf55d40130af378dc3c1941
Opcode Fuzzy Hash: c5e23b887a73ba4463e5d6b2aa0441aa84304a7c0074681eaa96e7a314029b58
Instruction Fuzzy Hash: 84310670A0926C9FEB249F24C8897F977B4FB42304F1001EDD68999182D7B84ED1CF02

Function 008F63AE Relevance: 1.3, APIs: 1, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 008F68B4

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2224f439385162fd301ab811778ece9defcc2287510a1ed21558d66ff9041f6c
Instruction ID: 9f1617896e6d95733f38d9ed517e39c3e0539239ea771b73e43f72b3e25187eb
Opcode Fuzzy Hash: 2224f439385162fd301ab811778ece9defcc2287510a1ed21558d66ff9041f6c
Instruction Fuzzy Hash: 2B31AFB0A4512D9FFB248F24CC59BF9B779FB92314F1041E9D5499A281DAB85EC1CF01

Function 008F54DB Relevance: 1.3, APIs: 1, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 008F68B4

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fb6d81eca2fa5af27d30ee4700f41b4d83ff7fd485674375b8065b78594a9b4c
Instruction ID: 285401a40f0605f964f262d8f0cbc7eae4f972b2b8aaece5280fed91b7c440eb
Opcode Fuzzy Hash: fb6d81eca2fa5af27d30ee4700f41b4d83ff7fd485674375b8065b78594a9b4c
Instruction Fuzzy Hash: 0E318070A0912D8FEB24CE15D949BE9B7B5FF82304F1441EDD9899A281E7B45ED0CF82

Function 008F5D08 Relevance: 1.3, APIs: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 008F68B4

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ab792f98daa9152bdeb5b580cb51dd8d1f036de8d0f5729ff18366067c5d3c7e
Instruction ID: 9f8c441469d73266740a0a197bb56e5b88b8343537225666f80bf160cf030b65
Opcode Fuzzy Hash: ab792f98daa9152bdeb5b580cb51dd8d1f036de8d0f5729ff18366067c5d3c7e
Instruction Fuzzy Hash: 7F317CB0A4512C8FEB249B14C8597F9B6B9FF52304F0441E9D64996280E7B85EC0CF42

Function 008F6830 Relevance: 1.3, APIs: 1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0ec6fd05c990fb177cd30a2e324e6dc882e21cd6d2467c619534d91d1e2478f6
Instruction ID: b4b040189f17bbd14b25c29c4ac0efddb2adaca9953017c325f7653b7e0edd46
Opcode Fuzzy Hash: 0ec6fd05c990fb177cd30a2e324e6dc882e21cd6d2467c619534d91d1e2478f6
Instruction Fuzzy Hash: BB31BF70A0922CCFEB248F24C8497F9B7B5FB42314F1401E9D68996181E7B45ED0CF02

Function 008F54BF Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0ddb9c4d3f6461fa0a06a459722400da86cca77ecdf52b02c10173b0aaf6240d
Instruction ID: a1584798c39e5dc6d763eb1cd409c94edd0d851fcef558a1391c1a89b43d5eb5
Opcode Fuzzy Hash: 0ddb9c4d3f6461fa0a06a459722400da86cca77ecdf52b02c10173b0aaf6240d
Instruction Fuzzy Hash: A121C470A0926C9FEB208F25C8497EABB75FF92304F0401EDD6899A182D7B44ED4CF42

Function 008F6336 Relevance: 1.3, APIs: 1, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 008F68B4

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5183480aa0b440dad06a0e59b8a558d1d888181f103cd053aebf900d89086b44
Instruction ID: 63259a3d95ab5c5c091bdd9025c408f158504e1e3cd9cdf0d7f715296971c9fc
Opcode Fuzzy Hash: 5183480aa0b440dad06a0e59b8a558d1d888181f103cd053aebf900d89086b44
Instruction Fuzzy Hash: 2021B2B0A4512D9FEB208E14DC497EAB779FB46314F0400E9DA4996241D7B95ED0CF42

Function 008F640B Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 008F68B4

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2c45ef62b780a3a200a79ecc01241998db3e781816f6f769dc0521fb94dd9b18
Instruction ID: b8909aa3cf733088cf4a4adad580cbc195c2c0f5d87253fa0b98a157460cc60f
Opcode Fuzzy Hash: 2c45ef62b780a3a200a79ecc01241998db3e781816f6f769dc0521fb94dd9b18
Instruction Fuzzy Hash: C821AF70A4512C8FEB248F15C849BE9B779FB82304F1441E9D5899A141D7B49ED1CF02

Function 008F6862 Relevance: 1.3, APIs: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 008F68B4

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c7f464a65d02188d2ee8460061d8ded33d67b0e9a6fad5a89614a3ad81e79987
Instruction ID: be63a9a1e74272839cc247fe0a8751c20f0bf3bf8f1ba54410bdf8c55fb05c88
Opcode Fuzzy Hash: c7f464a65d02188d2ee8460061d8ded33d67b0e9a6fad5a89614a3ad81e79987
Instruction Fuzzy Hash: FE218C70A0926C8FEB24CF24C8497E9BBB5FF46304F0441D9D689AA182D7B45ED0CF42

Function 008F634F Relevance: 1.3, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 008F68B4

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a020afe7b41f47b97a0098f4070571b7fc7cba30ace9b95ec7603f8bc82b07d8
Instruction ID: dd355f477101e9d9fb01da80314369295e7c51394a1760f3f4cfcaaf127d410d
Opcode Fuzzy Hash: a020afe7b41f47b97a0098f4070571b7fc7cba30ace9b95ec7603f8bc82b07d8
Instruction Fuzzy Hash: C7217C70A4522DCFEB248F25C8497E9BBB9FB46304F0400E9D589AA181D7B45ED0CF42

Function 0090C94E Relevance: 1.3, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0090D49F

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 03f27b90ac4b99cb948c9259d21fe80c0cd3d34fa65889c731042f178f676ff2
Instruction ID: 89b4a337da3eb5096f4a33812ba3ca0a268ff1206cc8c18651c3202d83df1ff9
Opcode Fuzzy Hash: 03f27b90ac4b99cb948c9259d21fe80c0cd3d34fa65889c731042f178f676ff2
Instruction Fuzzy Hash: F01168E2E5E3089EFB280AA4DC697BA7A68D741710F1441BFDA0B145C2D5BD2BC08563

Function 0090C0E5 Relevance: 1.3, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0090D49F

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4df710cc511ab3e1a476f22e4b414b27eb6dcc7059dca2a96385b01a6f229788
Instruction ID: 8b840d0ad07e742bda48a9cc5ce608f82accb98d3afcbea4ee9b4a320ca2ec9c
Opcode Fuzzy Hash: 4df710cc511ab3e1a476f22e4b414b27eb6dcc7059dca2a96385b01a6f229788
Instruction Fuzzy Hash: 3A0128E2E5E3089EFB280690DC597B67A68D741725F1441BEDA0A141C1D5BD2AC08563

Function 008F5D5B Relevance: 1.3, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 008F68B4

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 33211f2559424aeb37ad58b17db63fa7e396f1b4362fb22b52064d52a0c2edfe
Instruction ID: bf6ab99218b63dc2722b2b40758cf5fe75a1634b5911682d0a60698210b1aa4d
Opcode Fuzzy Hash: 33211f2559424aeb37ad58b17db63fa7e396f1b4362fb22b52064d52a0c2edfe
Instruction Fuzzy Hash: 33219A70A4922C8FEB24CF24C8597E9B7B5FF42308F0441D9D689AA181D7B88ED4CF02

Function 008F6875 Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 008F68B4

Memory Dump Source

Source File: 00000000.00000002.1520757764.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 08a928a999e95b40d124416526e2213aac4a38d20a6c1124ea9b7a7c42421095
Instruction ID: b480bf9f3d65ac69f07e10bc9eea8cdbac6650a902ff8faab924a4fe9dd35b1f
Opcode Fuzzy Hash: 08a928a999e95b40d124416526e2213aac4a38d20a6c1124ea9b7a7c42421095
Instruction Fuzzy Hash: 89215870A4922DCFEB248F24C8497E9B7B5FB46304F0441D9D589AA281DBB49ED0CF02

Function 0041A2FD Relevance: 1.3, APIs: 1, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0041A765

Memory Dump Source

Source File: 00000000.00000002.1519755457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1519711277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519836452.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519868204.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1519921116.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f299c123f6a1141e2bfcddf222696ac1948d9bb74d6550779eb58fda38854e01
Instruction ID: d742e8a0be69d366727acb49402eb69a7df7b83cbe85b0c4f3b44d59bb3f023f
Opcode Fuzzy Hash: f299c123f6a1141e2bfcddf222696ac1948d9bb74d6550779eb58fda38854e01
Instruction Fuzzy Hash: F0018FF2D45259AFF3118510DC89BFB7638EB84324F2500B7E90D96380D6BD9FC68A56

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PDFonlineseguro.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Documents\NordVPNnetworkTAP\Lang\RemotePCPrinter.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
PDFonlineseguro.exe

Function 008F6465 Relevance: 31.9, APIs: 1, Strings: 20, Instructions: 367
memoryCOMMON

Function 00908DD9 Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 425
memoryCOMMON

Function 0041290D Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 490
libraryCOMMON

Function 0092FE3E Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280
COMMON

Function 008FCFD7 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 254
processCOMMON

Function 0092FBE5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 234
COMMON

Function 00412563 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 645
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre