Edit tour

Windows Analysis Report
PDFonlineseguro.exe

Overview

General Information

Sample name:	PDFonlineseguro.exe
Analysis ID:	1587432
MD5:	fddcc6db43b7aea103c315249bc12bbe
SHA1:	97f3ce1e1008deef73aed1d4f58bf184146ad243
SHA256:	bf836b14f236cce4cecd3b261b4e9b3f2f159ac9661cc2bf351e3533a7e8e5eb
Tags:	exeuser-zhuzhu0009
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Yara detected AntiVM3

AI detected suspicious sample

Allocates memory in foreign processes

Drops PE files to the document folder of the user

Drops large PE files

Injects a PE file into a foreign processes

May modify the system service descriptor table (often done to hook functions)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to query CPU information (cpuid)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

PDFonlineseguro.exe (PID: 4648 cmdline: "C:\Users\user\Desktop\PDFonlineseguro.exe" MD5: FDDCC6DB43B7AEA103C315249BC12BBE)

csc.exe (PID: 2344 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.3320973321.0000000009970000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.3320566149.00000000084C3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.3320140298.0000000007321000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: csc.exe PID: 2344	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: csc.exe PID: 2344	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.csc.exe.8549828.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.csc.exe.9970000.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Documents\NordVPNnetworkTAP\Lang\RemotePCPrinter.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PDFonlineseguro.exe, ProcessId: 4648, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NordicVPN

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Unpacked PE file: 0.2.PDFonlineseguro.exe.400000.0.unpack

Source: PDFonlineseguro.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: D:\ActiveClean\src\user\TMCOMMENG\Release\tmcomeng.pdbPMZ source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr
Source:	Binary string: D:\ActiveClean\src\user\tmavsetup\Release\TmEngDrv.pdbP source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr
Source:	Binary string: D:\ActiveClean\src\user\RootkitScanner\Release\RootkitBuster.pdb source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr
Source:	Binary string: D:\ActiveClean\src\user\tmavsetup\Release\TmEngDrv.pdb source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr
Source:	Binary string: D:\ActiveClean\src\user\TMCOMMENG\Release\tmcomeng.pdb source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000003.00000002.3321113585.0000000009C30000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000088DB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000087A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: csc.exe, 00000003.00000002.3321113585.0000000009C30000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000088DB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000087A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\activeclean\src\sys\output\fre_wxp_x86\i386\tmcomm.pdb source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr

Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00406A80 FindFirstFileW,FindClose,		0_2_00406A80
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00405570 SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,GetLastError,GetLastError,GetLastError,FindClose,		0_2_00405570

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Code function: 4x nop then push esi

0_2_0040A4B0

Source: global traffic

TCP traffic: 192.168.2.8:49710 -> 181.71.216.203:30203

Source: global traffic

TCP traffic: 192.168.2.8:62337 -> 162.159.36.2:53

Source: Joe Sandbox View

IP Address: 181.71.216.203 181.71.216.203

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: newstaticfreepoint24.ddns-ip.net

Source: csc.exe, 00000003.00000002.3320140298.0000000007321000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3320140298.000000000757B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3320140298.00000000073B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: csc.exe, 00000003.00000002.3321113585.0000000009C30000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000088DB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000087A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: csc.exe, 00000003.00000002.3321113585.0000000009C30000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000088DB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000087A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: csc.exe, 00000003.00000002.3321113585.0000000009C30000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000088DB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000087A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: csc.exe, 00000003.00000002.3321113585.0000000009C30000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000088DB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000087A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: csc.exe, 00000003.00000002.3320140298.0000000007321000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3321113585.0000000009C30000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000088DB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000087A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: csc.exe, 00000003.00000002.3321113585.0000000009C30000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000088DB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000087A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

File dump: RemotePCPrinter.exe.0.dr 959667331

Jump to dropped file

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Code function: 0_2_00407070 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

0_2_00407070

Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412EE7	0_2_00412EE7
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041C054	0_2_0041C054
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041C00B	0_2_0041C00B
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041303C	0_2_0041303C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041A0DC	0_2_0041A0DC
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_004120B2	0_2_004120B2
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_004260B6	0_2_004260B6
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041694D	0_2_0041694D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412905	0_2_00412905
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041290D	0_2_0041290D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041B9DC	0_2_0041B9DC
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041A1E4	0_2_0041A1E4
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_004159F1	0_2_004159F1
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041AA4B	0_2_0041AA4B
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041425D	0_2_0041425D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041C26C	0_2_0041C26C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00414A08	0_2_00414A08
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412A0D	0_2_00412A0D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412A36	0_2_00412A36
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412AE3	0_2_00412AE3
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412AB5	0_2_00412AB5
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00416B48	0_2_00416B48
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412B56	0_2_00412B56
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00416B5B	0_2_00416B5B
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00416B0B	0_2_00416B0B
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041B314	0_2_0041B314
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041E316	0_2_0041E316
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412B27	0_2_00412B27
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00416B35	0_2_00416B35
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00426B34	0_2_00426B34
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_004133D4	0_2_004133D4
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412BBC	0_2_00412BBC
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412C5E	0_2_00412C5E
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00415C77	0_2_00415C77
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412CD6	0_2_00412CD6
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00415CDC	0_2_00415CDC
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_004144E2	0_2_004144E2
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_004134E5	0_2_004134E5
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00413489	0_2_00413489
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041E492	0_2_0041E492
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00415D41	0_2_00415D41
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412D4D	0_2_00412D4D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041B54D	0_2_0041B54D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00415D53	0_2_00415D53
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412563	0_2_00412563
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041AD6D	0_2_0041AD6D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00415D32	0_2_00415D32
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00425DCF	0_2_00425DCF
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412D96	0_2_00412D96
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00413D9B	0_2_00413D9B
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00419E63	0_2_00419E63
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00419E6E	0_2_00419E6E
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412E00	0_2_00412E00
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041BE24	0_2_0041BE24
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00413629	0_2_00413629
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_004136A8	0_2_004136A8
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00419F47	0_2_00419F47
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412F5B	0_2_00412F5B
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412F68	0_2_00412F68
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00420F6C	0_2_00420F6C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00412F2D	0_2_00412F2D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0041BFF9	0_2_0041BFF9
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CACA85	0_2_00CACA85
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CB8DD9	0_2_00CB8DD9
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CBF0D5	0_2_00CBF0D5
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CB984B	0_2_00CB984B
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CBC044	0_2_00CBC044
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CB9992	0_2_00CB9992
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CA596E	0_2_00CA596E
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CA726C	0_2_00CA726C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CA8B47	0_2_00CA8B47
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CB8B58	0_2_00CB8B58
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CA736F	0_2_00CA736F
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CA232A	0_2_00CA232A
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CBC331	0_2_00CBC331
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CBA444	0_2_00CBA444
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CA6465	0_2_00CA6465
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CBEC7B	0_2_00CBEC7B
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CA2409	0_2_00CA2409
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CAC42C	0_2_00CAC42C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CBE423	0_2_00CBE423
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CBADCA	0_2_00CBADCA
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CB959F	0_2_00CB959F
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CA6D9D	0_2_00CA6D9D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CA6D66	0_2_00CA6D66
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CA6D03	0_2_00CA6D03
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CB8D06	0_2_00CB8D06
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CA6D28	0_2_00CA6D28
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CAB522	0_2_00CAB522
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CBC521	0_2_00CBC521
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CBC63A	0_2_00CBC63A
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CACFD7	0_2_00CACFD7
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00CB9F4D	0_2_00CB9F4D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251E012	0_2_0251E012
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251C45E	0_2_0251C45E
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0252341D	0_2_0252341D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251925E	0_2_0251925E
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0252224C	0_2_0252224C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251DA71	0_2_0251DA71
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251DA7B	0_2_0251DA7B
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251DA34	0_2_0251DA34
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02514A37	0_2_02514A37
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251DAD7	0_2_0251DAD7
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_025222F6	0_2_025222F6
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02522292	0_2_02522292
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_025242A4	0_2_025242A4
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02521355	0_2_02521355
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02521345	0_2_02521345
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251DB4D	0_2_0251DB4D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02524372	0_2_02524372
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02521B75	0_2_02521B75
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02524B7B	0_2_02524B7B
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251DB66	0_2_0251DB66
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02524B6C	0_2_02524B6C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0252336D	0_2_0252336D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02521316	0_2_02521316
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02524308	0_2_02524308
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251D30C	0_2_0251D30C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251D333	0_2_0251D333
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02523BD9	0_2_02523BD9
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_025173CB	0_2_025173CB
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251DBCC	0_2_0251DBCC
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251FBE5	0_2_0251FBE5
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02514B83	0_2_02514B83
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251D38C	0_2_0251D38C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_025143B0	0_2_025143B0
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02523BA3	0_2_02523BA3
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251E05B	0_2_0251E05B
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251E044	0_2_0251E044
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0252407E	0_2_0252407E
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251001F	0_2_0251001F
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251002C	0_2_0251002C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_025220F1	0_2_025220F1
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_025230F4	0_2_025230F4
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_025230E0	0_2_025230E0
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_025100EA	0_2_025100EA
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251D0BE	0_2_0251D0BE
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251F0A4	0_2_0251F0A4
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251D8AE	0_2_0251D8AE
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251E150	0_2_0251E150
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251D158	0_2_0251D158
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251494C	0_2_0251494C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251D173	0_2_0251D173
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251496A	0_2_0251496A
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251D96C	0_2_0251D96C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251E131	0_2_0251E131
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0252413A	0_2_0252413A
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251D921	0_2_0251D921
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251D129	0_2_0251D129
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_025149D9	0_2_025149D9
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_025249C8	0_2_025249C8
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_025241F2	0_2_025241F2
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251E9FA	0_2_0251E9FA
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_025149FD	0_2_025149FD
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_025221E8	0_2_025221E8
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251D1B4	0_2_0251D1B4
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_025241AB	0_2_025241AB
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251D1AB	0_2_0251D1AB
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251CE53	0_2_0251CE53
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0252365A	0_2_0252365A
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02518E58	0_2_02518E58
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251DE76	0_2_0251DE76
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251767D	0_2_0251767D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0252367E	0_2_0252367E
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02523E7C	0_2_02523E7C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251CE03	0_2_0251CE03
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02523E00	0_2_02523E00
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251DE02	0_2_0251DE02
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251DE07	0_2_0251DE07
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251FE3E	0_2_0251FE3E
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251DEDA	0_2_0251DEDA
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_025236F4	0_2_025236F4
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251D6FF	0_2_0251D6FF
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02522697	0_2_02522697
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0252369D	0_2_0252369D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02523E83	0_2_02523E83
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02524E8D	0_2_02524E8D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251E752	0_2_0251E752
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0252476E	0_2_0252476E
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0252376C	0_2_0252376C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02522714	0_2_02522714
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02522738	0_2_02522738
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02524739	0_2_02524739
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251DF2D	0_2_0251DF2D
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251D7D4	0_2_0251D7D4
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_025237A1	0_2_025237A1
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02524C53	0_2_02524C53
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251D456	0_2_0251D456
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02524C71	0_2_02524C71
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251D40E	0_2_0251D40E
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02523C2A	0_2_02523C2A
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251DCD2	0_2_0251DCD2
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251E4F3	0_2_0251E4F3
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02524CF1	0_2_02524CF1
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02524CFE	0_2_02524CFE
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02524CE9	0_2_02524CE9
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02514C96	0_2_02514C96
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02524C9A	0_2_02524C9A
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251CD74	0_2_0251CD74
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251D564	0_2_0251D564
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02524D6A	0_2_02524D6A
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251D513	0_2_0251D513
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251D50C	0_2_0251D50C
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02524DC6	0_2_02524DC6
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251DDC7	0_2_0251DDC7
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251EDFE	0_2_0251EDFE
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02524DE3	0_2_02524DE3
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_025235E9	0_2_025235E9
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02523D80	0_2_02523D80
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251D586	0_2_0251D586
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02524DA7	0_2_02524DA7
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0251CDAD	0_2_0251CDAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_05683028	3_2_05683028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_05683038	3_2_05683038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09964D68	3_2_09964D68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0996C180	3_2_0996C180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0996F5A8	3_2_0996F5A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09964650	3_2_09964650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09963D00	3_2_09963D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09963CB0	3_2_09963CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09963CF1	3_2_09963CF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0996D1B0	3_2_0996D1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0996C4A7	3_2_0996C4A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0996844F	3_2_0996844F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09964796	3_2_09964796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09964640	3_2_09964640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09CADDD8	3_2_09CADDD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09CAC458	3_2_09CAC458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09CADDC9	3_2_09CADDC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09E71160	3_2_09E71160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09E72EF8	3_2_09E72EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09E70890	3_2_09E70890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09E72EE9	3_2_09E72EE9

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Code function: String function: 0041E430 appears 66 times

Source: PDFonlineseguro.exe	Static PE information: Resource name: DRIVER type: PE32 executable (native) Intel 80386, for MS Windows
Source: PDFonlineseguro.exe	Static PE information: Resource name: TMCOMMDLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: PDFonlineseguro.exe	Static PE information: Resource name: TMENGDRV type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: PDFonlineseguro.exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: RemotePCPrinter.exe.0.dr	Static PE information: Resource name: DRIVER type: PE32 executable (native) Intel 80386, for MS Windows
Source: RemotePCPrinter.exe.0.dr	Static PE information: Resource name: TMCOMMDLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: RemotePCPrinter.exe.0.dr	Static PE information: Resource name: TMENGDRV type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: RemotePCPrinter.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: PDFonlineseguro.exe	Binary or memory string: %sOriginalFileName vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe, 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTmComm.sysN vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe, 00000000.00000002.1731200472.0000000002A09000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRootkitBuster.exeN vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe, 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRootkitBuster.exeN vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe, 00000000.00000000.1464143880.000000000044E000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: %sOriginalFileName vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe, 00000000.00000000.1464143880.000000000044E000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OD.H%sSpecialBuild%sPrivateBuild%sLegalTrademarks%sComments%sProductVersion%sProductName%sOriginalFileName%sLegalCopyright%sInternalName%sFileVersion%sFileDescription%sCompanyName\StringFileInfo\%04X%04X\\VarFileInfo\Translation\Leaving destruct CSICReportLogger objectD:\ActiveClean\src\user\RootkitScanner\source\SICReportLogger.cppCSICReportLogger::~CSICReportLogger()Entering destruct CSICReportLogger objectLog File Handle not Initialized.CSIC::LogString()No memory space can be allocated.CSIC::LogSingleString()leaving Initialize CSIC scan object ret=%d%s%s\%s\%sSICLOGCSICReportLogger::Initialize()Entering Initialize CSICReportLogger objectCSICReportLogger::LogBytes()CSICReportLogger::_CloseLogFileCloseLogFile\%%s%%.%dd.%%sCan't find next file, ErrNo=%d%s*.%sTXTCSICReportLogger::RotateFileName()X86PROCESSOR_ARCHITEW6432PROCESSOR_ARCHITECTUREAfter uninstall driver=%dD:\ActiveClean\src\user\RootkitScanner\source\TMRKScanWin.cpp(Needn't waiting)bStopped=%dWinAppDestructor()(After waiting)bStopped=%d+----------------------------------------------------+ vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe, 00000000.00000002.1731200472.00000000028B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: %sOriginalFileName vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe, 00000000.00000002.1731200472.00000000028B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OD.H%sSpecialBuild%sPrivateBuild%sLegalTrademarks%sComments%sProductVersion%sProductName%sOriginalFileName%sLegalCopyright%sInternalName%sFileVersion%sFileDescription%sCompanyName\StringFileInfo\%04X%04X\\VarFileInfo\Translation\Leaving destruct CSICReportLogger objectD:\ActiveClean\src\user\RootkitScanner\source\SICReportLogger.cppCSICReportLogger::~CSICReportLogger()Entering destruct CSICReportLogger objectLog File Handle not Initialized.CSIC::LogString()No memory space can be allocated.CSIC::LogSingleString()leaving Initialize CSIC scan object ret=%d%s%s\%s\%sSICLOGCSICReportLogger::Initialize()Entering Initialize CSICReportLogger objectCSICReportLogger::LogBytes()CSICReportLogger::_CloseLogFileCloseLogFile\%%s%%.%dd.%%sCan't find next file, ErrNo=%d%s*.%sTXTCSICReportLogger::RotateFileName()X86PROCESSOR_ARCHITEW6432PROCESSOR_ARCHITECTUREAfter uninstall driver=%dD:\ActiveClean\src\user\RootkitScanner\source\TMRKScanWin.cpp(Needn't waiting)bStopped=%dWinAppDestructor()(After waiting)bStopped=%d+----------------------------------------------------+ vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe, 00000000.00000000.1464189519.000000000049F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenametmcomeng.dllN vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe, 00000000.00000002.1731200472.0000000002904000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTmComm.sysN vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe	Binary or memory string: %sOriginalFileName vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe	Binary or memory string: OD.H%sSpecialBuild%sPrivateBuild%sLegalTrademarks%sComments%sProductVersion%sProductName%sOriginalFileName%sLegalCopyright%sInternalName%sFileVersion%sFileDescription%sCompanyName\StringFileInfo\%04X%04X\\VarFileInfo\Translation\Leaving destruct CSICReportLogger objectD:\ActiveClean\src\user\RootkitScanner\source\SICReportLogger.cppCSICReportLogger::~CSICReportLogger()Entering destruct CSICReportLogger objectLog File Handle not Initialized.CSIC::LogString()No memory space can be allocated.CSIC::LogSingleString()leaving Initialize CSIC scan object ret=%d%s%s\%s\%sSICLOGCSICReportLogger::Initialize()Entering Initialize CSICReportLogger objectCSICReportLogger::LogBytes()CSICReportLogger::_CloseLogFileCloseLogFile\%%s%%.%dd.%%sCan't find next file, ErrNo=%d%s*.%sTXTCSICReportLogger::RotateFileName()X86PROCESSOR_ARCHITEW6432PROCESSOR_ARCHITECTUREAfter uninstall driver=%dD:\ActiveClean\src\user\RootkitScanner\source\TMRKScanWin.cpp(Needn't waiting)bStopped=%dWinAppDestructor()(After waiting)bStopped=%d+----------------------------------------------------+ vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe	Binary or memory string: OriginalFilenameTmComm.sysN vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe	Binary or memory string: OriginalFilenametmcomeng.dllN vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe	Binary or memory string: OriginalFilenameTmEngDrv.dllN vs PDFonlineseguro.exe
Source: PDFonlineseguro.exe	Binary or memory string: OriginalFilenameRootkitBuster.exeN vs PDFonlineseguro.exe

Source: PDFonlineseguro.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: RemotePCPrinter.exe.0.dr	Binary string: \Device\LanmanRedirector\
Source: RemotePCPrinter.exe.0.dr	Binary string: \\\Device\Harddisk
Source: RemotePCPrinter.exe.0.dr	Binary string: \SystemRoot\TmComm.log\Device\TmComm>>> CFG-GetSDTProc(%d, %s)=%p
Source: RemotePCPrinter.exe.0.dr	Binary string: Utility\??\\??\UNC\\Device\HarddiskIoValidateDeviceIoControlAccessIoCreateDeviceSecureD:P
Source: RemotePCPrinter.exe.0.dr	Binary string: \Device\LanmanRedirector\;
Source: RemotePCPrinter.exe.0.dr	Binary string: \??\\??\UNC\\\?\\??\\Registry\Machine\\Registry\User\\Registry\Machine\Software\Classes\\Registry\Machine\System\CurrentControlSet\Hardware Profiles\Current\.*\Device\LanmanRedirector\;\Device\LanmanRedirector\\??\UNC\\SystemRoot\\??\\Device\LanmanRedirector\;\Device\LanmanRedirector\\??\UNC\\SystemRoot\\??\
Source: RemotePCPrinter.exe.0.dr	Binary string: aD\\\Device\Harddisk

Source: classification engine

Classification label: mal92.evad.winEXE@3/1@1/1

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Code function: 0_2_00407070 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

0_2_00407070

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Code function: 0_2_004068B0 FindResourceW,LoadResource,SizeofResource,CreateFileW,WriteFile,CloseHandle,

0_2_004068B0

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

File created: C:\Users\user\Documents\NordVPNnetworkTAP

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: \Sessions\1\BaseNamedObjects\mono1234

Source: PDFonlineseguro.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PDFonlineseguro.exe

String found in binary or memory: >>> CFG-AddEP(%03x, %03x)=%#x

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

File read: C:\Users\user\Desktop\PDFonlineseguro.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PDFonlineseguro.exe "C:\Users\user\Desktop\PDFonlineseguro.exe"
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Section loaded: a.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PDFonlineseguro.exe

Static file information: File size 2334801 > 1048576

Source: PDFonlineseguro.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1e3000

Source: PDFonlineseguro.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\ActiveClean\src\user\TMCOMMENG\Release\tmcomeng.pdbPMZ source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr
Source:	Binary string: D:\ActiveClean\src\user\tmavsetup\Release\TmEngDrv.pdbP source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr
Source:	Binary string: D:\ActiveClean\src\user\RootkitScanner\Release\RootkitBuster.pdb source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr
Source:	Binary string: D:\ActiveClean\src\user\tmavsetup\Release\TmEngDrv.pdb source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr
Source:	Binary string: D:\ActiveClean\src\user\TMCOMMENG\Release\tmcomeng.pdb source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000003.00000002.3321113585.0000000009C30000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000088DB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000087A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: csc.exe, 00000003.00000002.3321113585.0000000009C30000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000088DB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000087A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\activeclean\src\sys\output\fre_wxp_x86\i386\tmcomm.pdb source: PDFonlineseguro.exe, RemotePCPrinter.exe.0.dr

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Unpacked PE file: 0.2.PDFonlineseguro.exe.400000.0.unpack

Yara detected Costura Assembly Loader

Source: Yara match	File source: 3.2.csc.exe.8549828.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.csc.exe.9970000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3320973321.0000000009970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3320566149.00000000084C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3320140298.0000000007321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: csc.exe PID: 2344, type: MEMORYSTR

Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"			Jump to behavior

Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0040DC10 push eax; ret	0_2_0040DC3E
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0040F688 push eax; ret	0_2_0040F6A6
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_02511630 push edi; retf 0000h	0_2_02511635
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_056871F4 push es; ret	3_2_056871F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_05686991 pushad ; retf	3_2_0568699D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09968331 pushfd ; ret	3_2_09968337
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09CA1ACB push CDE8CF8Bh; retf	3_2_09CA1AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09CAB7B0 pushad ; iretd	3_2_09CAB7D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09ED3D0F push ebx; ret	3_2_09ED3D15

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

File created: C:\Users\user\Documents\NordVPNnetworkTAP\Lang\RemotePCPrinter.exe

Jump to dropped file

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

File created: C:\Users\user\Documents\NordVPNnetworkTAP\Lang\RemotePCPrinter.exe

Jump to dropped file

Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NordicVPN			Jump to behavior
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NordicVPN			Jump to behavior

Hooking and other Techniques for Hiding and Protection

May modify the system service descriptor table (often done to hook functions)

Source: PDFonlineseguro.exe, 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: KeServiceDescriptorTable
Source: PDFonlineseguro.exe, 00000000.00000002.1731200472.0000000002904000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: KeServiceDescriptorTable
Source: PDFonlineseguro.exe	Binary or memory string: KeServiceDescriptorTable
Source: RemotePCPrinter.exe.0.dr	Binary or memory string: KeServiceDescriptorTable

Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_004080C0 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		0_2_004080C0
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_0040CB46 IsIconic,GetWindowPlacement,GetWindowRect,		0_2_0040CB46

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Code function: 0_2_00401970 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetModuleFileNameW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

0_2_00401970

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: csc.exe PID: 2344, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 5680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 7320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 9320000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 373000	Jump to behavior

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Dropped PE file which has not been started: C:\Users\user\Documents\NordVPNnetworkTAP\Lang\RemotePCPrinter.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 3524	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 3524	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6388	Thread sleep count: 200 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 3524	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 4124	Thread sleep time: -373000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00406A80 FindFirstFileW,FindClose,		0_2_00406A80
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Code function: 0_2_00405570 SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,GetLastError,GetLastError,GetLastError,FindClose,		0_2_00405570

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 373000	Jump to behavior

Source: csc.exe, 00000003.00000002.3321341566.0000000009F38000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlluint

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 3_2_09CAE028 LdrInitializeThunk,

3_2_09CAE028

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 5220000 protect: page readonly

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 5220000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 5220000			Jump to behavior
Source: C:\Users\user\Desktop\PDFonlineseguro.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4E49008			Jump to behavior

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Code function: 0_2_00CC8675 cpuid

0_2_00CC8675

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Code function: 0_2_0040F112 GetLocalTime,GetSystemTime,GetTimeZoneInformation,SendMessageW,FindWindowExW,

0_2_0040F112

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Code function: 0_2_0040F112 GetLocalTime,GetSystemTime,GetTimeZoneInformation,SendMessageW,FindWindowExW,

0_2_0040F112

Source: C:\Users\user\Desktop\PDFonlineseguro.exe

Code function: 0_2_004058C0 GetVersionExA,

0_2_004058C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: csc.exe, 00000003.00000003.1704740740.0000000009F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: csc.exe, 00000003.00000002.3319730259.00000000056FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Masquerading	1 Credential API Hooking	2 System Time Discovery	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	31 Process Injection	11 Disable or Modify Tools	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	141 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	141 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	31 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	135 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	IP	Active	Malicious	Antivirus Detection	Reputation
newstaticfreepoint24.ddns-ip.net	181.71.216.203	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://github.com/mgravell/protobuf-net	csc.exe, 00000003.00000002.3321113585.0000000009C30000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000088DB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000087A1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-neti	csc.exe, 00000003.00000002.3321113585.0000000009C30000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000088DB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000087A1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	csc.exe, 00000003.00000002.3320140298.0000000007321000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3321113585.0000000009C30000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000088DB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000087A1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	csc.exe, 00000003.00000002.3321113585.0000000009C30000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000088DB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000087A1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	csc.exe, 00000003.00000002.3320140298.0000000007321000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3320140298.000000000757B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3320140298.00000000073B5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	csc.exe, 00000003.00000002.3321113585.0000000009C30000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000088DB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000087A1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	csc.exe, 00000003.00000002.3321113585.0000000009C30000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000088DB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1921167999.00000000087A1000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
181.71.216.203	newstaticfreepoint24.ddns-ip.net	Colombia		27831	ColombiaMovilCO	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587432
Start date and time:	2025-01-10 11:40:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PDFonlineseguro.exe
Detection:	MAL
Classification:	mal92.evad.winEXE@3/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 89% Number of executed functions: 341 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:41:34	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NordicVPN C:\Users\user\Documents\NordVPNnetworkTAP\Lang\RemotePCPrinter.exe
11:41:42	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NordicVPN C:\Users\user\Documents\NordVPNnetworkTAP\Lang\RemotePCPrinter.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
181.71.216.203	MicrosoftOfficeWord.exe	Get hash	malicious	Unknown	Browse
	AdobePDF.exe	Get hash	malicious	Unknown	Browse
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse
	AdobePremierPDF.exe	Get hash	malicious	Unknown	Browse
	2LDJIyMl2r.exe	Get hash	malicious	Remcos	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
newstaticfreepoint24.ddns-ip.net	MicrosoftOfficeWord.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobePDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobePremierPDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	2LDJIyMl2r.exe	Get hash	malicious	Remcos	Browse	181.71.216.203
	SHROsQyiAd.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	4JwhvqLe8n.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	fIPSLgT0lO.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	3XSXmrEOw7.exe	Get hash	malicious	Remcos	Browse	181.131.217.244

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ColombiaMovilCO	MicrosoftOfficeWord.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobePDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobePremierPDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe	Get hash	malicious	Remcos	Browse	179.15.136.6
	6.elf	Get hash	malicious	Unknown	Browse	181.70.170.80
	173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe	Get hash	malicious	Remcos	Browse	179.15.136.6
	1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exe	Get hash	malicious	Remcos	Browse	179.15.136.6
	17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe	Get hash	malicious	Remcos	Browse	179.15.136.6

Process:	C:\Users\user\Desktop\PDFonlineseguro.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	959667331
Entropy (8bit):	0.0378714111132915
Encrypted:	false
SSDEEP:
MD5:	0F5B1010F65FF84026DBB1599DC4C446
SHA1:	A93AD805CEF6121875AA671B8CB88556E8E41352
SHA-256:	ACBA3E7ADBCB4696364B3B2CF2DE8970A9C11F0A2F0D2B2059738EC7B13AB8BC
SHA-512:	E804413DC05443C564E50806B3FA746BCFA4120D9F081789B820F9AB5F20A5B243386B149C574729661FFDAD71A1A47236FF8FC654298DA5F644B8701DA32C65
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@..@..@..@..@...L..@......@..A.q.@......@...K..@...N..@...J.5.@...K..@..K..@.X.F..@.Rich..@..H.$..PE..L......E..........................................@...........................#.........................................................x-...........................................................................................................text...~........................... ..`.rdata..............................@..@.data...H...........................@....rsrc...x-.......0...p..............@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.181190846088643
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PDFonlineseguro.exe
File size:	2'334'801 bytes
MD5:	fddcc6db43b7aea103c315249bc12bbe
SHA1:	97f3ce1e1008deef73aed1d4f58bf184146ad243
SHA256:	bf836b14f236cce4cecd3b261b4e9b3f2f159ac9661cc2bf351e3533a7e8e5eb
SHA512:	601ae10269e94df22227976154ee72019142e32592edbba49971052c3e717dd52b966631b2a6f474b92eee8fa0a188d8d46d0cb29f5b9eb69854f403cdcfd3fc
SSDEEP:	24576:NUXOTB5dYdJ28+BaykZ+1XGRSK3FrTOX5F13db67IXgd2nB3TM1J2dv5iGoTEtQG:OaER4DXGJ1T+v1340Xf38GLC8e4
TLSH:	B3B5BF20A2859997F69274B4123FE5F7E22127309E11C487F3C59F2EB875DD0983AB87
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............@...@...@...@...@...L...@.......@...A.q.@.......@...K...@...N...@...J.5.@...K...@...K...@.X.F...@.Rich..@....H.$..PE..L..

File Icon


Icon Hash:	03032725047cfe60

Static PE Info

General

Entrypoint:	0x40d5c0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x45BF13D2 [Tue Jan 30 09:45:54 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5fb09959021d8f9c65e9a957b247adac

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00444FB0h
push 004114D0h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [004413C8h]
xor edx, edx
mov dl, ah
mov dword ptr [00459274h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [00459270h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0045926Ch], ecx
shr eax, 10h
mov dword ptr [00459268h], eax
push 00000001h
call 00007F6BA4D250B9h
pop ecx
test eax, eax
jne 00007F6BA4D2131Ah
push 0000001Ch
call 00007F6BA4D213D7h
pop ecx
call 00007F6BA4D24D9Ah
test eax, eax
jne 00007F6BA4D2131Ah
push 00000010h
call 00007F6BA4D213C6h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F6BA4D24B74h
call 00007F6BA4D24ACEh
mov dword ptr [0045AD14h], eax
call 00007F6BA4D24957h
mov dword ptr [0045925Ch], eax
call 00007F6BA4D24724h
call 00007F6BA4D24667h
call 00007F6BA4D2237Ch
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0044120Ch]
call 00007F6BA4D2460Bh
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F6BA4D21318h
movzx eax, word ptr [ebp-2Ch]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4b498	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5c000	0x1e2d78	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x417e0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x41000	0x7dc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3fa7e	0x40000	ce4e2154cbe4e7156492dc1cc0f693ce	False	0.5431098937988281	data	6.484004415784614	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x41000	0xceba	0xd000	19619226e29a06fa4d01a78b7906fd9e	False	0.4609375	data	5.733152244637936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4e000	0xd848	0x9000	00473552ce4b9e86c7a55926c18dc927	False	0.2333441840277778	data	3.330419442779499	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5c000	0x1e2d78	0x1e3000	c02073652d12fcfb1dd9e62784ad4fe1	False	0.628267845011646	data	7.322211817710192	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
CATALOG	0x5cbac	0x2974	data	English	United States	0.534206558612891
DRIVER	0x5f520	0x19190	PE32 executable (native) Intel 80386, for MS Windows	Chinese	Taiwan	0.47299610894941635
INFINSTALL	0x786b0	0x996	Windows setup INFormation	English	United States	0.40179299103504484
TMCOMMDLL	0x79048	0x2b047	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	Chinese	Taiwan	0.42348140454826644
TMENGDRV	0xa4090	0x1b047	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	Chinese	Taiwan	0.4508824087545069
RT_CURSOR	0xbf0d8	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4805194805194805
RT_CURSOR	0xbf20c	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	English	United States	0.7
RT_BITMAP	0xbf2c0	0x55028	PC bitmap, Windows 3.x format, 44486 x 2 x 51, image size 348736, cbSize 348200, bits offset 54			0.9996209075244112
RT_BITMAP	0x1142e8	0x33b8c	PC bitmap, Windows 3.x format, 26784 x 2 x 54, image size 212356, cbSize 211852, bits offset 54			1.0001746502275173
RT_BITMAP	0x147e74	0x5b78	Device independent bitmap graphic, 507 x 44 x 8, image size 22352	Chinese	Taiwan	0.3262726340963444
RT_BITMAP	0x14d9ec	0x5e4	Device independent bitmap graphic, 70 x 39 x 4, image size 1404	English	United States	0.34615384615384615
RT_BITMAP	0x14dfd0	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	English	United States	0.44565217391304346
RT_BITMAP	0x14e088	0x16c	Device independent bitmap graphic, 39 x 13 x 4, image size 260	English	United States	0.28296703296703296
RT_BITMAP	0x14e1f4	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	English	United States	0.37962962962962965
RT_ICON	0x14e338	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584			0.37436413107772387
RT_ICON	0x15eb60	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.3590576287198866
RT_ICON	0x162d88	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.295701464336325
RT_ICON	0x166fb0	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3200	Chinese	Taiwan	0.5231481481481481
RT_DIALOG	0x167c58	0x4d6	data	English	United States	0.4701130856219709
RT_DIALOG	0x168130	0xe4	data	Chinese	Taiwan	0.6622807017543859
RT_DIALOG	0x168214	0xe8	data	English	United States	0.6336206896551724
RT_STRING	0x1682fc	0x71a	data	Chinese	Taiwan	0.323982398239824
RT_STRING	0x168a18	0x4e6	data	Chinese	Taiwan	0.38118022328548645
RT_STRING	0x168f00	0x2f6	data	Chinese	Taiwan	0.41688654353562005
RT_STRING	0x1691f8	0x9a4	data	Chinese	Taiwan	0.27836304700162073
RT_STRING	0x169b9c	0x82	StarOffice Gallery theme p, 536899072 objects, 1st n	English	United States	0.7153846153846154
RT_STRING	0x169c20	0x2a	data	English	United States	0.5476190476190477
RT_STRING	0x169c4c	0x14a	data	English	United States	0.5060606060606061
RT_STRING	0x169d98	0x4e2	data	English	United States	0.376
RT_STRING	0x16a27c	0x2a2	data	English	United States	0.28338278931750743
RT_STRING	0x16a520	0x2dc	data	English	United States	0.36885245901639346
RT_STRING	0x16a7fc	0xac	data	English	United States	0.45348837209302323
RT_STRING	0x16a8a8	0xde	data	English	United States	0.536036036036036
RT_STRING	0x16a988	0x4c4	data	English	United States	0.3221311475409836
RT_STRING	0x16ae4c	0x264	data	English	United States	0.3741830065359477
RT_STRING	0x16b0b0	0x2c	data	English	United States	0.5227272727272727
RT_RCDATA	0x16b0dc	0x1800	PE32+ executable (console) x86-64, for MS Windows			0.5719401041666666
RT_RCDATA	0x16c8dc	0x24780	data			0.7689053127677806
RT_RCDATA	0x19105c	0x4e550	Delphi compiled form 'TBaseFrame'			0.36960803869745174
RT_RCDATA	0x1df5ac	0x1cc3e	Delphi compiled form '\017TFanTasticFrame\016FanTasticFrame'			0.5127989679346812
RT_RCDATA	0x1fc1ec	0x136fe	Delphi compiled form '\016TfrmAutoTuning'			0.5060290903609918
RT_RCDATA	0x20f8ec	0x136fe	Delphi compiled form '\016TfrmAutoTuning'			0.6512548044313814
RT_RCDATA	0x222fec	0x1b681	Delphi compiled form 'TMsgBoxForm'			0.5580320158208397
RT_GROUP_CURSOR	0x23e670	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0
RT_GROUP_ICON	0x23e694	0x14	data	Chinese	Taiwan	1.15
RT_VERSION	0x23e6a8	0x458	data	English	United States	0.427158273381295
RT_MANIFEST	0x23eb00	0x277	XML 1.0 document, ASCII text, with CRLF line terminators	Chinese	Taiwan	0.5150554675118859

Imports

DLL	Import
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA
COMCTL32.dll	_TrackMouseEvent, ImageList_Destroy, ImageList_Create, ImageList_LoadImageW, ImageList_Merge, ImageList_Read, ImageList_Write
KERNEL32.dll	DuplicateHandle, FlushFileBuffers, LockFile, UnlockFile, SetEndOfFile, MoveFileW, GetVolumeInformationW, GetFullPathNameW, GetStringTypeExW, GetThreadLocale, GetShortPathNameW, GetFileTime, LocalFileTimeToFileTime, SystemTimeToFileTime, SetFileTime, SetFileAttributesW, FileTimeToLocalFileTime, GetStartupInfoW, ExitProcess, RtlUnwind, GetLocalTime, RaiseException, HeapFree, HeapAlloc, SetConsoleCtrlHandler, CreateThread, ExitThread, GetTimeZoneInformation, GetSystemTime, HeapReAlloc, HeapSize, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetEnvironmentStrings, GetCommandLineA, SetHandleCount, GetFileType, SetErrorMode, GetModuleFileNameA, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, FatalAppExitA, SetUnhandledExceptionFilter, VirtualAlloc, IsBadWritePtr, LCMapStringA, LCMapStringW, GetFileAttributesA, IsBadReadPtr, IsBadCodePtr, GetStringTypeA, GetStringTypeW, GetCPInfo, IsValidLocale, IsValidCodePage, GetLocaleInfoA, EnumSystemLocalesA, GetUserDefaultLCID, CompareStringA, CompareStringW, SetEnvironmentVariableW, GetExitCodeProcess, CreateProcessA, SetStdHandle, GetACP, GetOEMCP, SetEnvironmentVariableA, GetLocaleInfoW, GetCurrentProcessId, GetOverlappedResult, DeviceIoControl, CreateEventA, InterlockedExchange, QueryDosDeviceW, GetLogicalDriveStringsW, GetWindowsDirectoryW, QueryDosDeviceA, GetLogicalDriveStringsA, GetWindowsDirectoryA, OutputDebugStringW, CreateMailslotW, SleepEx, GetFullPathNameA, GetCurrentDirectoryA, FindResourceA, GlobalAddAtomA, GetProfileStringA, GlobalGetAtomNameW, WritePrivateProfileStringW, GetPrivateProfileStringW, GetPrivateProfileIntW, GetProcessVersion, TlsGetValue, LocalReAlloc, TlsSetValue, EnterCriticalSection, GlobalReAlloc, LeaveCriticalSection, TlsFree, GlobalHandle, DeleteCriticalSection, TlsAlloc, InitializeCriticalSection, LocalAlloc, GlobalFlags, lstrcmpiW, CreateEventW, SetThreadPriority, SetEvent, lstrcmpW, GlobalAlloc, lstrcmpA, lstrcmpiA, GetCurrentThread, lstrcpynW, MulDiv, SetLastError, FormatMessageW, LocalFree, GetDriveTypeA, InterlockedDecrement, InterlockedIncrement, LoadLibraryA, lstrlenA, GetVersion, lstrcatW, GetCurrentThreadId, GlobalAddAtomW, GlobalFindAtomW, GlobalDeleteAtom, lstrcpyW, GlobalLock, GlobalUnlock, GlobalFree, LockResource, TerminateProcess, MoveFileExW, SuspendThread, ResumeThread, CreateProcessW, GetVersionExW, WaitForSingleObject, GetCurrentProcess, Sleep, GetSystemDirectoryW, CopyFileW, FindResourceW, LoadResource, SizeofResource, GetTempPathW, CreateMutexW, GetCommandLineW, AllocConsole, SetConsoleTitleW, GetStdHandle, WriteConsoleW, ReadConsoleW, FreeConsole, GetCurrentDirectoryW, GetModuleHandleA, GetModuleHandleW, GetVersionExA, DeleteFileW, SetCurrentDirectoryW, FindFirstFileW, FindNextFileW, GetLastError, FindClose, GetFileAttributesW, CreateDirectoryW, lstrlenW, FileTimeToSystemTime, WideCharToMultiByte, GetUserDefaultLangID, MultiByteToWideChar, LoadLibraryW, GetProcAddress, FreeLibrary, GetTickCount, CreateFileW, ReadFile, SetFilePointer, GetFileSize, WriteFile, CloseHandle, GetModuleFileNameW, GetStartupInfoA
USER32.dll	IsDialogMessageW, SetWindowTextW, MoveWindow, ShowWindow, EnableMenuItem, CheckMenuItem, SetMenuItemBitmaps, ModifyMenuW, GetMenuState, LoadBitmapW, GetMenuCheckMarkDimensions, ClientToScreen, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutW, DrawTextW, GrayStringW, ShowOwnedPopups, SetCursor, ValidateRect, TranslateMessage, GetMessageW, wvsprintfW, DestroyMenu, GetClassNameW, PtInRect, GetDesktopWindow, GetDialogBaseUnits, LoadCursorW, GetSysColorBrush, SetCapture, ReleaseCapture, WaitMessage, GetWindowThreadProcessId, WindowFromPoint, InsertMenuW, GetMenuStringW, SetRectEmpty, LoadAcceleratorsW, TranslateAcceleratorW, LoadMenuW, SetMenu, ReuseDDElParam, UnpackDDElParam, BringWindowToTop, CharUpperW, CheckRadioButton, CheckDlgButton, UpdateWindow, SendDlgItemMessageW, SendDlgItemMessageA, MapWindowPoints, PeekMessageW, DispatchMessageW, GetFocus, SetFocus, AdjustWindowRectEx, EqualRect, DeferWindowPos, BeginDeferWindowPos, EndDeferWindowPos, IsWindowVisible, ScrollWindow, GetScrollInfo, SetScrollInfo, ShowScrollBar, GetScrollRange, SetScrollRange, GetScrollPos, SetScrollPos, GetTopWindow, IsChild, GetCapture, ScrollWindowEx, GetClassInfoW, RegisterClassW, GetMenu, GetMenuItemCount, GetSubMenu, GetMenuItemID, TrackPopupMenu, SetWindowPlacement, GetWindowTextLengthW, GetWindowTextW, GetDlgCtrlID, GetKeyState, DefWindowProcW, CreateWindowExW, SetWindowsHookExW, CallNextHookEx, SetPropW, UnhookWindowsHookEx, GetPropW, CallWindowProcW, RemovePropW, GetMessageTime, GetMessagePos, GetLastActivePopup, GetForegroundWindow, SetForegroundWindow, GetWindow, SetWindowLongW, SetWindowPos, RegisterWindowMessageW, IntersectRect, SystemParametersInfoW, GetWindowPlacement, GetWindowRect, GetNextDlgTabItem, EndDialog, GetActiveWindow, SetActiveWindow, IsWindow, DestroyWindow, GetParent, GetWindowLongW, GetDlgItem, IsWindowEnabled, GetDC, GetSysColor, ReleaseDC, PostQuitMessage, PostMessageW, IsIconic, DrawIcon, UnregisterClassW, GetWindowTextLengthA, HideCaret, ShowCaret, ExcludeUpdateRgn, AppendMenuW, LoadIconW, ExitWindowsEx, wsprintfW, FindWindowExW, GetSystemMenu, DeleteMenu, LoadStringA, MessageBoxA, LoadStringW, MessageBoxW, GetClientRect, GetCursorPos, ScreenToClient, GetSystemMetrics, InvalidateRect, CopyRect, DrawEdge, DrawIconEx, InflateRect, IsDlgButtonChecked, SetDlgItemTextW, SetDlgItemInt, GetDlgItemTextW, WinHelpW, GetDlgItemInt, OffsetRect, FillRect, SendMessageW, RedrawWindow, EnableWindow, CreateDialogIndirectParamW, GetPropA, SetPropA, SetWindowLongA, GetClassNameA, IsWindowUnicode, SendMessageA, GetWindowLongA, SetWindowsHookExA, RemovePropA, CallWindowProcA, CharNextA, DefWindowProcA, DefDlgProcA, GetClassInfoA, DrawFocusRect, DrawTextA, GetWindowTextA
GDI32.dll	SetPolyFillMode, SetROP2, SetStretchBltMode, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, OffsetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, SelectClipRgn, ExcludeClipRect, IntersectClipRect, OffsetClipRgn, MoveToEx, LineTo, SetTextAlign, SetTextJustification, SetTextCharacterExtra, SetMapperFlags, GetCurrentPositionEx, ArcTo, SetArcDirection, SetTextColor, PolylineTo, SetColorAdjustment, PolyBezierTo, DeleteObject, GetClipRgn, CreateRectRgn, SetBkMode, ExtSelectClipRgn, PlayMetaFileRecord, GetObjectType, EnumMetaFile, PlayMetaFile, GetDeviceCaps, GetViewportExtEx, GetWindowExtEx, CreatePen, ExtCreatePen, CreateSolidBrush, CreateHatchBrush, CreatePatternBrush, CreateDIBPatternBrushPt, PtVisible, RectVisible, TextOutW, ExtTextOutW, Escape, GetMapMode, PatBlt, SetRectRgn, CombineRgn, CreateRectRgnIndirect, CreateFontIndirectW, DPtoLP, GetTextMetricsW, ExtTextOutA, GetClipBox, GetDCOrgEx, CreateFontW, GetTextExtentPoint32W, SelectPalette, GetStockObject, SelectObject, RestoreDC, SaveDC, StartDocW, DeleteDC, CreateBitmap, GetObjectW, SelectClipPath, SetBkColor, GetTextExtentPointA, BitBlt, CreateCompatibleDC, PolyDraw, CreateDIBitmap, Rectangle
comdlg32.dll	GetFileTitleW
WINSPOOL.DRV	ClosePrinter, DocumentPropertiesW, OpenPrinterW
ADVAPI32.dll	ControlService, StartServiceW, OpenServiceW, DeleteService, CreateServiceW, OpenSCManagerW, CloseServiceHandle, RegDeleteKeyW, RegDeleteValueW, RegSetValueExW, RegOpenKeyExW, RegCreateKeyExW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyW, RegQueryValueExW, RegCloseKey, QueryServiceStatus
SHELL32.dll	DragQueryFileW, DragFinish, DragAcceptFiles, ShellExecuteW, SHGetFileInfoW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Chinese	Taiwan

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:41:36.055921078 CET	49710	30203	192.168.2.8	181.71.216.203
Jan 10, 2025 11:41:36.060735941 CET	30203	49710	181.71.216.203	192.168.2.8
Jan 10, 2025 11:41:36.061857939 CET	49710	30203	192.168.2.8	181.71.216.203
Jan 10, 2025 11:41:36.096426964 CET	49710	30203	192.168.2.8	181.71.216.203
Jan 10, 2025 11:41:36.101273060 CET	30203	49710	181.71.216.203	192.168.2.8
Jan 10, 2025 11:41:36.101618052 CET	49710	30203	192.168.2.8	181.71.216.203
Jan 10, 2025 11:41:36.106417894 CET	30203	49710	181.71.216.203	192.168.2.8
Jan 10, 2025 11:41:57.207782030 CET	62337	53	192.168.2.8	162.159.36.2
Jan 10, 2025 11:41:57.212663889 CET	53	62337	162.159.36.2	192.168.2.8
Jan 10, 2025 11:41:57.215259075 CET	62337	53	192.168.2.8	162.159.36.2
Jan 10, 2025 11:41:57.220228910 CET	53	62337	162.159.36.2	192.168.2.8
Jan 10, 2025 11:41:57.467523098 CET	30203	49710	181.71.216.203	192.168.2.8
Jan 10, 2025 11:41:57.467624903 CET	49710	30203	192.168.2.8	181.71.216.203
Jan 10, 2025 11:41:57.473222017 CET	49710	30203	192.168.2.8	181.71.216.203
Jan 10, 2025 11:41:57.479062080 CET	30203	49710	181.71.216.203	192.168.2.8
Jan 10, 2025 11:41:57.688642979 CET	62337	53	192.168.2.8	162.159.36.2
Jan 10, 2025 11:41:57.693727016 CET	53	62337	162.159.36.2	192.168.2.8
Jan 10, 2025 11:41:57.694624901 CET	62337	53	192.168.2.8	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:41:36.031089067 CET	54465	53	192.168.2.8	1.1.1.1
Jan 10, 2025 11:41:36.053225994 CET	53	54465	1.1.1.1	192.168.2.8
Jan 10, 2025 11:41:57.204236984 CET	53	51112	162.159.36.2	192.168.2.8
Jan 10, 2025 11:41:57.781522036 CET	53	64300	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 11:41:36.031089067 CET	192.168.2.8	1.1.1.1	0x11a5	Standard query (0)	newstaticfreepoint24.ddns-ip.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 11:41:36.053225994 CET	1.1.1.1	192.168.2.8	0x11a5	No error (0)	newstaticfreepoint24.ddns-ip.net		181.71.216.203	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	05:41:11
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\PDFonlineseguro.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PDFonlineseguro.exe"
Imagebase:	0x400000
File size:	2'334'801 bytes
MD5 hash:	FDDCC6DB43B7AEA103C315249BC12BBE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:41:32
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Imagebase:	0x610000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.3320973321.0000000009970000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.3320566149.00000000084C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.3320140298.0000000007321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	17.7%
Dynamic/Decrypted Code Coverage:	98.8%
Signature Coverage:	32.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	299

Executed Functions

Function 00CA6465 Relevance: 31.9, APIs: 1, Strings: 20, Instructions: 367
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00CA68B4

Strings

r, xrefs: 00CBDD6F
e, xrefs: 00CBDD61
i, xrefs: 00CBDD53
e, xrefs: 00CBDDA0
o, xrefs: 00CBDD76
y, xrefs: 00CBDDBC
r, xrefs: 00CBDD4C
P, xrefs: 00CBDD68
7G3K, xrefs: 00CBE3EB
c, xrefs: 00CBDD7D
s, xrefs: 00CBDD92
W, xrefs: 00CBDCE1
M, xrefs: 00CBDD99
t, xrefs: 00CBDD5A
e, xrefs: 00CBDD84
r, xrefs: 00CBDDB5
W, xrefs: 00CBDD45
s, xrefs: 00CBDD8B
m, xrefs: 00CBDDA7
o, xrefs: 00CBDDAE

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID: 7G3K$M$P$W$W$c$e$e$e$i$m$o$o$r$r$r$s$s$t$y
API String ID: 4275171209-2769547580
Opcode ID: 2840d8ad5d51b2ace4994d8eee50234126863668c224d8dd2e3d3f821928bae3
Instruction ID: 2a6c40468c7b5c3dc81ee0ec6f1a58b09cb421f3ffcea9cc452cb74234e990b9
Opcode Fuzzy Hash: 2840d8ad5d51b2ace4994d8eee50234126863668c224d8dd2e3d3f821928bae3
Instruction Fuzzy Hash: 29E1E2B1D082A89BFB208A15DC44BEA7B75EF92304F1440F9D44D5B282E2795FC5CF62

Function 00CB8DD9 Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 425
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000002), ref: 00CB93BF

Strings

t, xrefs: 00CB94AD
l, xrefs: 00CB947C
P, xrefs: 00CB9483
e, xrefs: 00CB949F
E, xrefs: 00CB94B4
a, xrefs: 00CB9475
o, xrefs: 00CB9491
r, xrefs: 00CB9460
i, xrefs: 00CB9459
V, xrefs: 00CB9452
t, xrefs: 00CB9498
c, xrefs: 00CB94A6
u, xrefs: 00CB946E
t, xrefs: 00CB9467
r, xrefs: 00CB948A
x, xrefs: 00CB94BB

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID: E$P$V$a$c$e$i$l$o$r$r$t$t$t$u$x
API String ID: 4275171209-4025948460
Opcode ID: d95b60aa00213f5eb43a2287cf35ae4aa1d40fd6b3fdf40145debedbd6467a40
Instruction ID: f1f6e6a7dd4956fde1002023564649262a460acc12b74783ed37581f5e010b6b
Opcode Fuzzy Hash: d95b60aa00213f5eb43a2287cf35ae4aa1d40fd6b3fdf40145debedbd6467a40
Instruction Fuzzy Hash: 8BF117B2D081689FE7208618DC84BEB7BB8EB41314F1481FAD90D26281DA7D6FC5CF91

Function 0041290D Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 490
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000041,00412E62,0041307C,00412E62,?,?,?,?,?,?,00000019,00000019,?,?,004129FE,004129FE), ref: 00413418

Strings

9EBN, xrefs: 0041290D
7D52, xrefs: 004129C7

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID: 7D52$9EBN
API String ID: 1029625771-780101925
Opcode ID: 388f1a279dd8bf3357b554f46f65a7b10d8751f4d34d2846fe6e885a3c82476a
Instruction ID: 0ad503646254e4b4fb3b36782f0a59c631594f6a4f774dda271bb14b5d07a41a
Opcode Fuzzy Hash: 388f1a279dd8bf3357b554f46f65a7b10d8751f4d34d2846fe6e885a3c82476a
Instruction Fuzzy Hash: 810227B2C181988FF724CB28CD45BEABB79EB94304F1441FAD40D96181D6BE5BC68F16

Function 0251FE3E Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5BE@, xrefs: 0251FCEF
R, xrefs: 0251FDC6

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID: 5BE@$R
API String ID: 0-2534193496
Opcode ID: 9be05883effbd765ad09778a22db58125baecafd0f900ba8d5cb8ca3408383c9
Instruction ID: 08cc79f0fc920a36dbd2ca991e6217b78129a79f74e73344db5afc75af53ed60
Opcode Fuzzy Hash: 9be05883effbd765ad09778a22db58125baecafd0f900ba8d5cb8ca3408383c9
Instruction Fuzzy Hash: 94A123B2D05264AFF7248A20DC90BFB7B79FB81314F1081BAE949562C1E6395EC5CB51

Function 0251FBE5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5BE@, xrefs: 0251FCEF
R, xrefs: 0251FDC6

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID: 5BE@$R
API String ID: 0-2534193496
Opcode ID: 0f1000a637287439bb5450c8a5a2c0ad81dd7fb3743d230fe0d5ce1f95db1d11
Instruction ID: ae71d8ddbb2966c63a947548305ddae7ffaed389e462ff198d15e6788b473b83
Opcode Fuzzy Hash: 0f1000a637287439bb5450c8a5a2c0ad81dd7fb3743d230fe0d5ce1f95db1d11
Instruction Fuzzy Hash: C771E2B2D052646FF7248620DC44BEB7B69FB81310F0580BAD94D66280D6795ACACB56

Function 00412563 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 645
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

7D52, xrefs: 004129C7

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID: 7D52
API String ID: 0-1372432686
Opcode ID: a32bbe8712de0054964fbb48e9575b64ab83cad968acde3ee586f41c73f5ab47
Instruction ID: 28635b83c59c4553ed9047865ddeb6010a42a8af37995a5bd21a88313d097467
Opcode Fuzzy Hash: a32bbe8712de0054964fbb48e9575b64ab83cad968acde3ee586f41c73f5ab47
Instruction Fuzzy Hash: 2D3223B1D082588FE724CB28CD84BEABB79EB85304F1441FAD40D96281D6BE5BC5CF16

Function 00412C5E Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 432COMMON

Download Yara Rule

Strings

H69P, xrefs: 00412C5E

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID: H69P
API String ID: 1029625771-988670626
Opcode ID: e8bf6bdb9c8d6e1b828e4a5418bc28f2ca10aa74148031e08321036c686d118d
Instruction ID: 8094dba36aa06f8fead93d5423ff4b9bd7308fcc850a1e2f600cceda2a4872b9
Opcode Fuzzy Hash: e8bf6bdb9c8d6e1b828e4a5418bc28f2ca10aa74148031e08321036c686d118d
Instruction Fuzzy Hash: B0F127B2D181588BF724CB38CD45BEABB79EB94304F1481FAD40D96180D6BE5BC58F26

Function 0251925E Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 681beac023ffa6d458f59b45752725a787753f2ba695c30acbbe005ddaca77eb
Instruction ID: a01c5855b857dc4b56b1245b5d3658fa64e94dff2f85ce8fe92cee6c34398da1
Opcode Fuzzy Hash: 681beac023ffa6d458f59b45752725a787753f2ba695c30acbbe005ddaca77eb
Instruction Fuzzy Hash: 32B135F2C14215AFF7248B14EC94BEB77A9FB80314F1485FAD90D56680E63C9FC28A61

Function 0041C26C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

87J=, xrefs: 0041C43F

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID: 87J=
API String ID: 0-1728124889
Opcode ID: b902892d12abfeabe201e418613c91f4c99f889eee56b3a251b18c745c4c45c4
Instruction ID: 18051e2a7fe5abdc85e49c4781780e6a560778dfd0343a5f280e073013bd8e3a
Opcode Fuzzy Hash: b902892d12abfeabe201e418613c91f4c99f889eee56b3a251b18c745c4c45c4
Instruction Fuzzy Hash: 11A1E6F2D44218AFE7248A24ECC5BFB7779EB80310F1481BBD94D96240E67D5EC28B56

Function 00CAC42C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 283processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 00CAD695

Strings

jjjj, xrefs: 00CAD686

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 580e8fe5324a4991a85e2981a1c1a1bde611170f82d6f1a973f8f881a2b20035
Instruction ID: b717bb0626232d94ce55b2e48a1fd5264f78343a4a5487adb47a8f0189e9db63
Opcode Fuzzy Hash: 580e8fe5324a4991a85e2981a1c1a1bde611170f82d6f1a973f8f881a2b20035
Instruction Fuzzy Hash: 73A115B2D002299BE7208B24DC95BFBB779EF85314F1481F9E90D66240E6796FC18E91

Function 00CAB522 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

jjjj, xrefs: 00CAD686

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: d68bce638fa5220f60e8042a8d58cdbb6b21695accfe383635932b9ceb3defb1
Instruction ID: d4919877dfeaa8f1e80a6e1936c4fe497f2d61e02c855974b8f848f6d84666c7
Opcode Fuzzy Hash: d68bce638fa5220f60e8042a8d58cdbb6b21695accfe383635932b9ceb3defb1
Instruction Fuzzy Hash: F7817AF2D043195FF3248A25EC95BF77768EB81314F1481BAE80E666C0D67D5FC18A62

Function 02518E58 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 264registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0251A26A

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 5e8ca8d49d14d35c8c3c2b2fb1d77dd357b82468a697eeaf8f8f3b7c29590e55
Instruction ID: 09e2e2b020ed55be44f14805ca588f7f7ef5333c04c098792541d435d7590bd8
Opcode Fuzzy Hash: 5e8ca8d49d14d35c8c3c2b2fb1d77dd357b82468a697eeaf8f8f3b7c29590e55
Instruction Fuzzy Hash: C9B19BB1D082289BFB348B18DC95BEAB7B5FF98314F0441EAD90DA2240E6795FC5CE15

Function 0041B54D Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Strings

JCE@, xrefs: 0041B84F

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID: JCE@
API String ID: 544645111-1558425100
Opcode ID: 9cedc28ff546090686a5b71c163a9002017febe2a9c1c14bb06c3cf469e78445
Instruction ID: 7c07c533459c0fab80da28bad5399094b37ef33f10413664306e2c247ee26706
Opcode Fuzzy Hash: 9cedc28ff546090686a5b71c163a9002017febe2a9c1c14bb06c3cf469e78445
Instruction Fuzzy Hash: 7EA1CEB1D046698BEB248F28DD40BEAB7B5EF85314F1481FAD84D62640E7385FC28F46

Function 02523E83 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 529COMMON

Download Yara Rule

Strings

7[W, xrefs: 02523E84

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID: 7[W
API String ID: 4275171209-3315053996
Opcode ID: 0b238b7472536576de0eaa89319c2746d7fec5600f0d5e45c186bc70ca89f7b1
Instruction ID: af51ba11001d2b78d3fefa43e2d1e27e8df6c39e4088a75e7732ec1fd435e94c
Opcode Fuzzy Hash: 0b238b7472536576de0eaa89319c2746d7fec5600f0d5e45c186bc70ca89f7b1
Instruction Fuzzy Hash: 5312F3B2D045649BF7248B14DC45BEBB779EF85310F0481FAD80EA6380E6795EC68F51

Function 00CA596E Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 379memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00CA68B4

Strings

Q, xrefs: 00CA5DED

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID: Q
API String ID: 4275171209-854704334
Opcode ID: 28023f95217fbddc69f3cd1a1ef6953d817c046618b775a154bcd722bf72e17a
Instruction ID: 403a3304174076dc78066e38300d669b64c98c0c196230f7b04501ae4ef5e579
Opcode Fuzzy Hash: 28023f95217fbddc69f3cd1a1ef6953d817c046618b775a154bcd722bf72e17a
Instruction Fuzzy Hash: A5D113B2D04A659FFB248A10DC84BFB77B5EF82319F1880EAD84956281D6395FC1CF52

Function 0251E012 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 314COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Strings

9PF8, xrefs: 0251FBDE

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID: 9PF8
API String ID: 2962429428-1325012634
Opcode ID: b71e861dcaa05508153e3fb1a8efbd14076cae238c1631f31d6d18ea8864ae08
Instruction ID: 33f0617f5204db72851835becac1adcd0e642654ed0a6ea3dd389a8c286ce628
Opcode Fuzzy Hash: b71e861dcaa05508153e3fb1a8efbd14076cae238c1631f31d6d18ea8864ae08
Instruction Fuzzy Hash: 2CC1B0B1E042689BF7218B28DC41AEAB7B5FF85310F0480FAD84DA7641E6355EC6CF16

Function 0251D158 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

N>=^, xrefs: 0251D15A

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID: N>=^
API String ID: 2962429428-2453736645
Opcode ID: f2ba91f93cee4a64ab5c2b041160315baf4e02651a5acd1eee42214706048948
Instruction ID: 8439a4ec5dc4a590dfc856097e0e9af74fb8a4541bce97daeceb2450037b60bb
Opcode Fuzzy Hash: f2ba91f93cee4a64ab5c2b041160315baf4e02651a5acd1eee42214706048948
Instruction Fuzzy Hash: 26B1B1B1D042A89BEB218B24DC416EABBB5FF85310F0480FAD44DA7251E6355FC6CF16

Function 00412D96 Relevance: 2.1, APIs: 1, Instructions: 565COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 844736d566c9949d759c28b661a38c96250939338e72ba80e6897733ca4178b0
Instruction ID: a173627131be94053c38d50b0cf7b5fa1860886e6855db00a7ec937b861afdaf
Opcode Fuzzy Hash: 844736d566c9949d759c28b661a38c96250939338e72ba80e6897733ca4178b0
Instruction Fuzzy Hash: C12226B2D141589BF724CA28DD45BEBBB79EB84304F1481FAD40D96280D6BE5FC18F26

Function 00412B27 Relevance: 2.0, APIs: 1, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a0ed88fdf0d14caa6f1c92632f8a1346dc6d36a9a4a31beb25bc8656c488c85
Instruction ID: 7c85355221240f41de74326fdff2f1a7ae86c1bf6ca75994b514ec8b829345d4
Opcode Fuzzy Hash: 7a0ed88fdf0d14caa6f1c92632f8a1346dc6d36a9a4a31beb25bc8656c488c85
Instruction Fuzzy Hash: 951227B2D182549BF724CB28DD45BEABB79EB84304F1481FAD40D96280D6BE5FC18F16

Function 00412B56 Relevance: 2.0, APIs: 1, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28eb5d946aafb5ab38582e9f7e75354ad0bd14b2301f49fba208290e2956533a
Instruction ID: 22d2c32c0d91f1c78b09544b5dd75fd39f145da0adcf4e7265f22805e416450a
Opcode Fuzzy Hash: 28eb5d946aafb5ab38582e9f7e75354ad0bd14b2301f49fba208290e2956533a
Instruction Fuzzy Hash: D91238B2D141549BF724CB28DD45BEABB79EB94304F1481FAD40D96280D6BE4FC18F26

Function 00CB9992 Relevance: 2.0, APIs: 1, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed8fcccd79bc3d01024919b50b6a039b76a3f0d0a1b0e5d0d8fac65eb87405f3
Instruction ID: 41785652823353d9bc5cc35fb618c89e499bba489806333babd68c03a5dc05e8
Opcode Fuzzy Hash: ed8fcccd79bc3d01024919b50b6a039b76a3f0d0a1b0e5d0d8fac65eb87405f3
Instruction Fuzzy Hash: 8CF186B2D142209BF7248A24EC55BFB7B79EF80310F1441BED90E97280E67D5EC18B62

Function 00412BBC Relevance: 2.0, APIs: 1, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 48c79f17db4bbdab8238a62883930746de4f6a842710fc9d9e2672a12c15f4e1
Instruction ID: 81728ae1035b69c65c435d74047e3fd55e77e1595250ec8848dd5e198627b974
Opcode Fuzzy Hash: 48c79f17db4bbdab8238a62883930746de4f6a842710fc9d9e2672a12c15f4e1
Instruction Fuzzy Hash: 8F0227B2D142588BF724CB28DD45BEABB79EB94304F1481FAD40D96280D6BE4BC1CF16

Function 00412CD6 Relevance: 1.9, APIs: 1, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8f9c9fd2e8352cb39c2ceeaff6cce883233f4c52b81fc1f69e6b140e1ced607c
Instruction ID: 6986e7f274646809a6809a72d5b31373262e71a518affd45ecc4021f0a99713c
Opcode Fuzzy Hash: 8f9c9fd2e8352cb39c2ceeaff6cce883233f4c52b81fc1f69e6b140e1ced607c
Instruction Fuzzy Hash: A4F117B1C182988EF724CB38DD44BEABB79EB84304F1481FAD40D96180D6BE5BC58F16

Function 00412A0D Relevance: 1.9, APIs: 1, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cccc17b14d395cdb45b9ec73bfca49c8ead673568b802d1373a9b2a403c308c7
Instruction ID: 83b282850b8819d6e079432a72c5561f8af0fd921ee256f7d2bf466a2132812e
Opcode Fuzzy Hash: cccc17b14d395cdb45b9ec73bfca49c8ead673568b802d1373a9b2a403c308c7
Instruction Fuzzy Hash: 1BF117B1D182988FF724CA38CD45BEABB79EB94304F0441FAD40D96181D6BE5BC58F16

Function 00CBE423 Relevance: 1.9, APIs: 1, Instructions: 421injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00CBFCA9

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a0cfa95f62b713d4b5b2ad63126d967e1d1d9a99ea3694eca4423351550cbb3a
Instruction ID: 68c8758c6cb1529ce9be2e44b0f624c6fecfc4b8ae9337f33094eb38151d84f1
Opcode Fuzzy Hash: a0cfa95f62b713d4b5b2ad63126d967e1d1d9a99ea3694eca4423351550cbb3a
Instruction Fuzzy Hash: 6CF1A2B2D146289BF7248B19DC49AEAB7B5FB84310F1481FAD80DA7280E7785FC5CE51

Function 00412AB5 Relevance: 1.9, APIs: 1, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fa8dcc40399ba58940eec5269bb6987e987b93cb2d2b6eb660671d8dc5731f5d
Instruction ID: c25d04bd29c8a3d81523e2d42302542de30dbcc5fb8d11a4564b7a0acb7e96ed
Opcode Fuzzy Hash: fa8dcc40399ba58940eec5269bb6987e987b93cb2d2b6eb660671d8dc5731f5d
Instruction Fuzzy Hash: 88F117B2D181988EF724CB39CD45BEABB79EB94304F0441FAD40D96180D6BE5BC58F26

Function 00412A36 Relevance: 1.9, APIs: 1, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e19865baed9857a9871f5a2c4026b740feb3f1306b8b91b4c41d32991e465569
Instruction ID: 87b71de2888bc784b0aff099216720c17f58e05d3d98153aad8e7a02ce3af28f
Opcode Fuzzy Hash: e19865baed9857a9871f5a2c4026b740feb3f1306b8b91b4c41d32991e465569
Instruction Fuzzy Hash: 58F117B2C182988FF724CA38CD45BEABB79EB94304F0441FAD40D96184D6BE5BC58F16

Function 00412D4D Relevance: 1.9, APIs: 1, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ed44a851c4c88b6acc7d0c5ffcb4c16f133bad70cf4c6b353ba0cf9af325c3d8
Instruction ID: 08d61c9abd71276e7bcfed4828cb8acbf5f67dcd0b3ce84d905c49c9e02a34c6
Opcode Fuzzy Hash: ed44a851c4c88b6acc7d0c5ffcb4c16f133bad70cf4c6b353ba0cf9af325c3d8
Instruction Fuzzy Hash: FBF116B1C182988FF724CA38CD45BEABB79EB94304F1481FAD40D96184D6BE5BC58F16

Function 00412AE3 Relevance: 1.9, APIs: 1, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 24fed693930847171cb546ed7d790dcbe27ddc843ae221ade6dac0c7e475ee30
Instruction ID: 9eadc7cde2efaaed1b984a5d12404e531f3767a4414aa6475e8c9ff78dbeae85
Opcode Fuzzy Hash: 24fed693930847171cb546ed7d790dcbe27ddc843ae221ade6dac0c7e475ee30
Instruction Fuzzy Hash: 79F116B1C182988BF724CA28CD45BEABB79EB94304F1481FAD40D96184D6BE5BC58F16

Function 00412E00 Relevance: 1.9, APIs: 1, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d530e09a2b724d5f12793b6a57cb3a8bbe2a9acc794519d405fa0b2fd3b38e30
Instruction ID: 914b4893cf7e246360d6171d055060685bfca23b3bb8442f664b5428e4751995
Opcode Fuzzy Hash: d530e09a2b724d5f12793b6a57cb3a8bbe2a9acc794519d405fa0b2fd3b38e30
Instruction Fuzzy Hash: A2F106B1C182988FF724CA38CD45BEABB79EB94304F1481FAD40D96184D6BE5BC58F16

Function 00CBEC7B Relevance: 1.9, APIs: 1, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ca2cc11fed54ff4a54fac0d5f06d717f27019c868a4a1cea5b541b111a9eb6
Instruction ID: ebd974890d265fe462b39d82219de7608c39f03891a126b25c9945aa4686776f
Opcode Fuzzy Hash: e3ca2cc11fed54ff4a54fac0d5f06d717f27019c868a4a1cea5b541b111a9eb6
Instruction Fuzzy Hash: 23D1F3B2D081649FF724CB25DC91AEA7B75EB81310F2481FED84D56281D738AEC2CE51

Function 00CB959F Relevance: 1.9, APIs: 1, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 048d8cef36c1a6b0f3dcf6a217b5784af81f396fbd57b81e44ebb6231e41d6c2
Instruction ID: 660b556fa8a4f81e5d174ec96a57b1a1cebaa5176cdf74b36758e71c313e4baf
Opcode Fuzzy Hash: 048d8cef36c1a6b0f3dcf6a217b5784af81f396fbd57b81e44ebb6231e41d6c2
Instruction Fuzzy Hash: 51C16AB2D046149BF7208A24EC55BFB7778EF90310F1481BADA0E97690E67D5EC1CB22

Function 00412F5B Relevance: 1.9, APIs: 1, Instructions: 356libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(00000041,00412E62,0041307C,00412E62,?,?,?,?,?,?,00000019,00000019,?,?,004129FE,004129FE), ref: 00413418

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 09ef31d4875e5d4364aaa38d3552ff4f7ca364ff48131d4c4dc19f09039680b0
Instruction ID: 25ee1458d4c05cc34388280acd285f1b350c9e83cd5973a54011443fe1b238c6
Opcode Fuzzy Hash: 09ef31d4875e5d4364aaa38d3552ff4f7ca364ff48131d4c4dc19f09039680b0
Instruction Fuzzy Hash: 1FE118B1D182588FF724CA28CD44BEABB79EB94304F1482FAC44D96184D6BB5BC1CF15

Function 00412F68 Relevance: 1.9, APIs: 1, Instructions: 352libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(00000041,00412E62,0041307C,00412E62,?,?,?,?,?,?,00000019,00000019,?,?,004129FE,004129FE), ref: 00413418

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 44d90c0b9c49be0f94f5566c085c51c650c9ba62b4d58904face86cc12eb4385
Instruction ID: 8c8785c59a19c8c59afa334fe66621ece20bae9c27aaf262cc5b84eed56bd58c
Opcode Fuzzy Hash: 44d90c0b9c49be0f94f5566c085c51c650c9ba62b4d58904face86cc12eb4385
Instruction Fuzzy Hash: 06E108B1C182988EF725CB28CD44BEABB79EB84304F1482FAC44D96184C6BA5BC1CF15

Function 00CB984B Relevance: 1.8, APIs: 1, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e792d18e2530fa9b3b3c003973df3210de8169a801fd0bdaed6d9d00000a9d4
Instruction ID: e2131eaa2f7915b1ce4c3ffa7f55f201d066a1898f8dbed42c3bcf2b795d2837
Opcode Fuzzy Hash: 0e792d18e2530fa9b3b3c003973df3210de8169a801fd0bdaed6d9d00000a9d4
Instruction Fuzzy Hash: CBC155B2D042249AF7208A25DC54BFB7778EF91310F1441FAEA0D97280E67D5EC1CB62

Function 004120B2 Relevance: 1.8, APIs: 1, Instructions: 332libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(00000041,00412E62,0041307C,00412E62,?,?,?,?,?,?,00000019,00000019,?,?,004129FE,004129FE), ref: 00413418

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f73b989c36e49737ba16bcb8db3207c3d024309a4faf8c23682ed0e059c3e122
Instruction ID: 68fcf2f6689c69d927717ee79365b4a85c972a433720d20fd96375829fbe019e
Opcode Fuzzy Hash: f73b989c36e49737ba16bcb8db3207c3d024309a4faf8c23682ed0e059c3e122
Instruction Fuzzy Hash: 81D107B1C181988AF724CB28CD45BEABB79EB94304F1481FAC40D96184D6BF5BC58F16

Function 00412EE7 Relevance: 1.8, APIs: 1, Instructions: 331libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(00000041,00412E62,0041307C,00412E62,?,?,?,?,?,?,00000019,00000019,?,?,004129FE,004129FE), ref: 00413418

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a7b86c80fcb27795b7f989fd085fb58975178aa8b1e0346772cd3e91a3365588
Instruction ID: 77c1afaf6ee344737d6c9c1494ac544b8974899b89a280fb7368027c49a184b5
Opcode Fuzzy Hash: a7b86c80fcb27795b7f989fd085fb58975178aa8b1e0346772cd3e91a3365588
Instruction Fuzzy Hash: 56D106B1C182998AF725CB28CD45BEABB79EB84304F1481FAC40D96184D6BF5BC58F16

Function 004133D4 Relevance: 1.8, APIs: 1, Instructions: 329libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(00000041,00412E62,0041307C,00412E62,?,?,?,?,?,?,00000019,00000019,?,?,004129FE,004129FE), ref: 00413418

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e18c0113196cbf197c9c0a09fd3ea4d64e1c55021d881bc928c383aefc03d63d
Instruction ID: 9c546136633581368c643fc48e5b2d4f0d65dfec77795a479303ee077f8a157c
Opcode Fuzzy Hash: e18c0113196cbf197c9c0a09fd3ea4d64e1c55021d881bc928c383aefc03d63d
Instruction Fuzzy Hash: 04D106B1C186988EF724CB28CD45BEABB79EB44304F0481FAC40D96184D6BB5BC5CF16

Function 0041303C Relevance: 1.8, APIs: 1, Instructions: 327libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(00000041,00412E62,0041307C,00412E62,?,?,?,?,?,?,00000019,00000019,?,?,004129FE,004129FE), ref: 00413418

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 197fba5ed2fa1d1acc950096ed80ae44aec4a453ac70a99a872013438e5d4b5f
Instruction ID: 685db6e6754c034d7e57d24a7f2ee9e1369a5a20694af23d03f85a1bccd5a8ed
Opcode Fuzzy Hash: 197fba5ed2fa1d1acc950096ed80ae44aec4a453ac70a99a872013438e5d4b5f
Instruction Fuzzy Hash: 5AD106B1D182988AF724CB28CD45BEABB79EB94304F0481FAC40D96184C6BB5BC5CF16

Function 00412905 Relevance: 1.8, APIs: 1, Instructions: 327libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(00000041,00412E62,0041307C,00412E62,?,?,?,?,?,?,00000019,00000019,?,?,004129FE,004129FE), ref: 00413418

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9685453c858acef7bbe08a609eba0d138d8fff13938d5bed7f656a7703b5964d
Instruction ID: ba361cb80cab4e2aa1748923d4768de877caf7156e757222a378a47da172c41c
Opcode Fuzzy Hash: 9685453c858acef7bbe08a609eba0d138d8fff13938d5bed7f656a7703b5964d
Instruction Fuzzy Hash: 81D107B1C185998AF724CB28CD45BEABB79EB54304F1481FAC40D9A184C6BF5BC58F16

Function 00412F2D Relevance: 1.8, APIs: 1, Instructions: 323libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(00000041,00412E62,0041307C,00412E62,?,?,?,?,?,?,00000019,00000019,?,?,004129FE,004129FE), ref: 00413418

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 991ba1292ae0b3dd7bada89b5822bacc0735865df44dae8b89cb5ebf90ba9fee
Instruction ID: 1ac84a4cf18e4a03d19c88b7cf27a23150301b53f59c7e366197149a9ad0987d
Opcode Fuzzy Hash: 991ba1292ae0b3dd7bada89b5822bacc0735865df44dae8b89cb5ebf90ba9fee
Instruction Fuzzy Hash: 8CD105B1C182998EF725CB28CD45BEABB79EB54304F1481FAC40D96184C6BB5BC5CF16

Function 004144E2 Relevance: 1.8, APIs: 1, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 3be3174dd3cd9d79a627e91fdefaaa32ff7f2729f6bf8127ef592b982d6a05ed
Instruction ID: 96c8c416ef09b65182ac49eb9859cb1ec8255d27186aa3d180cefa8ec86ead54
Opcode Fuzzy Hash: 3be3174dd3cd9d79a627e91fdefaaa32ff7f2729f6bf8127ef592b982d6a05ed
Instruction Fuzzy Hash: 97D18071E046688BDB24CB28CD50BDABBB5EF89314F1481EAD84DA7640DB785BC5CF06

Function 0252413A Relevance: 1.8, APIs: 1, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fbe901cf6143a8eb8d98041d06f2c6ba56e78e64c0a2503e73adda28b62a49d2
Instruction ID: 64eca823ce4c1aac736fd8fe6cc4b657014c910da0ea5c19078899b10558e97e
Opcode Fuzzy Hash: fbe901cf6143a8eb8d98041d06f2c6ba56e78e64c0a2503e73adda28b62a49d2
Instruction Fuzzy Hash: 8412D3B2D045649BF7248B14DC45BEBBB79EF85310F0481FAD80EA6380E6795EC68F52

Function 0041BFF9 Relevance: 1.8, APIs: 1, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 121c0632922dfdc112b84c3311d5357c0953f2fc935e5d4cc1f8335c1ad9ecc6
Instruction ID: 07959f9e6a7fd35014d5a591225e2430b2b27dd5146312ec2640aab78da600b3
Opcode Fuzzy Hash: 121c0632922dfdc112b84c3311d5357c0953f2fc935e5d4cc1f8335c1ad9ecc6
Instruction Fuzzy Hash: E1A11AF2D44218AFF7248A15ECC5BFB7779EB80310F1081BAE90D96280EA7D5EC18B55

Function 0251D564 Relevance: 1.8, APIs: 1, Instructions: 546COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: cf6b0ef9e43c76231d47be816256593b5ca41b43bbe4d4e47af66ca22d1d84bf
Instruction ID: ca46d8fd61406a9766c0faf7ee518284850fa350e2d09ad21b86f1c241b1d534
Opcode Fuzzy Hash: cf6b0ef9e43c76231d47be816256593b5ca41b43bbe4d4e47af66ca22d1d84bf
Instruction Fuzzy Hash: F622CFB2D051649BF7248B28DC45AEABBB5EF85310F0480FAD90DA7640D6389FC6CF56

Function 00CBA444 Relevance: 1.8, APIs: 1, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b52ad58f9f3e527aea48f0031ae447d1224f7446b4abdbe1b419ba34039b9eec
Instruction ID: 7158081fe1a1a92f924fe3bbf232138f00fdf1bd985298e68371f36c0f920610
Opcode Fuzzy Hash: b52ad58f9f3e527aea48f0031ae447d1224f7446b4abdbe1b419ba34039b9eec
Instruction Fuzzy Hash: FEB156B2D14214AFE7288A14DC94AEB77B9EB80300F1541FED94D97281D77D6EC28E52

Function 02523E7C Relevance: 1.8, APIs: 1, Instructions: 527COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7b21e0b2bef6690b3aa9fc7a5c8d50a79e4d561df52c152aad01dbc30c9e9c50
Instruction ID: 6a044bb8109a4144cb663ac747bdc922a125598533c5de161fa02b45f76d2abd
Opcode Fuzzy Hash: 7b21e0b2bef6690b3aa9fc7a5c8d50a79e4d561df52c152aad01dbc30c9e9c50
Instruction Fuzzy Hash: B912D2B2D045689BF7248B14DC45BEBB779EF85310F0481FAD80EA6380E6795EC68F51

Function 0041B314 Relevance: 1.7, APIs: 1, Instructions: 236memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0140f9e48abfe85ad68b6e47ee759a07724a956fd4cc8692ad96253a84439f59
Instruction ID: 15dcfd778898b3ce6832c1a44629109f08f74687ff8f40f831ff671d724ece92
Opcode Fuzzy Hash: 0140f9e48abfe85ad68b6e47ee759a07724a956fd4cc8692ad96253a84439f59
Instruction Fuzzy Hash: 4571E7F2D141249EF7208A25DC85BFB7779EF85310F1481BBE94D96640E23C5EC28AA7

Function 0251EDFE Relevance: 1.7, APIs: 1, Instructions: 230fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02520631

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 31822dbf289aef4df6e32976faaccfb6202d25443d5fa6dee9a27f7e663600a7
Instruction ID: ab8448ff35e6506b1a4f4e868649c29476191fc5f543af96c9d7b231fa9527c2
Opcode Fuzzy Hash: 31822dbf289aef4df6e32976faaccfb6202d25443d5fa6dee9a27f7e663600a7
Instruction Fuzzy Hash: 337115E2D14224AFF7248A20DC55BF77B78FB81310F0581BAE94D56280D6789FC1CB96

Function 0041BE24 Relevance: 1.7, APIs: 1, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94462e777ab555f0edee87d5c9c5c819ec86f07bd0995e7c4ae264b353b8fe16
Instruction ID: 933358cb28d29e6fec5e3efe06e228bd44d245304136820d5ac3e78294daa6d9
Opcode Fuzzy Hash: 94462e777ab555f0edee87d5c9c5c819ec86f07bd0995e7c4ae264b353b8fe16
Instruction Fuzzy Hash: 5C71D2F3D54114AFF3148A15DC89BFB7729EBC0320F1481BBE90D96680E67D5EC28A92

Function 0041C00B Relevance: 1.7, APIs: 1, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31dbf633aa006d1c5928237ce6c2e3f9b1082b282022c84a0b0f03e239399d03
Instruction ID: c6c6a236b98ead54bc5c1405ed2cfbeb93079af9db1b2ed2cbde8b8eb090ef9d
Opcode Fuzzy Hash: 31dbf633aa006d1c5928237ce6c2e3f9b1082b282022c84a0b0f03e239399d03
Instruction Fuzzy Hash: 7471FAF2D44218AFF7248A14EC85BFB7779EB80710F1080BAE94D96240E67D5EC18B55

Function 00CBF0D5 Relevance: 1.7, APIs: 1, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 80bacb90ebba5bfe33d3852e4ca0bf8bb1a024255b67ed88ea578d910e0cbdeb
Instruction ID: 7750900d52555997ce85fba374e64b4c64c53ef3ed9078e9b8b7ed241a0361c0
Opcode Fuzzy Hash: 80bacb90ebba5bfe33d3852e4ca0bf8bb1a024255b67ed88ea578d910e0cbdeb
Instruction Fuzzy Hash: 597128F2D08114AFF7248B55DC45AE77B68EB81310F1442FEE94D52280D77C5EC68A52

Function 0251DEDA Relevance: 1.7, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 467ee1954c5fc635aa634afa7d59deab3c858c04b06ce9e3d70abb1cb1e853b0
Instruction ID: 6364cd536a8eda3b2525a1add1806c8a34da60b0cbff0bb43bfbb1c3969041c5
Opcode Fuzzy Hash: 467ee1954c5fc635aa634afa7d59deab3c858c04b06ce9e3d70abb1cb1e853b0
Instruction Fuzzy Hash: F702C1B1D052689BE7248B24DC81AEAB7B5FF85310F1480FAD84DA7240E6395FC6CF56

Function 0041C054 Relevance: 1.7, APIs: 1, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abea441612a0f467895e79582060ed38df3af34d84f1c1ea1cbed8c310e11844
Instruction ID: 957819c9f192194d9daf0ff4e04562e90351947be2dcaa4b7241ca887b0d445c
Opcode Fuzzy Hash: abea441612a0f467895e79582060ed38df3af34d84f1c1ea1cbed8c310e11844
Instruction Fuzzy Hash: 0A6107F2D40118AFF7248A15EC85BFB7739EBC0710F1081BAE90D96240EA7D5EC18B66

Function 0251C45E Relevance: 1.7, APIs: 1, Instructions: 206registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,?,00000000,00000001,?,?,?,?,?,?,?,?,?,024F86BE,?,024F86BE), ref: 0251C4DE

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 36e682b40685ef7ee5bbb4c8eaa04a6af8d5f652a3700dd43070738bb5e2fa9a
Instruction ID: efc79b7813ff17ce3ee602bae0de8d281e42cb6c8600f4fc7e2290a8abf3b2b9
Opcode Fuzzy Hash: 36e682b40685ef7ee5bbb4c8eaa04a6af8d5f652a3700dd43070738bb5e2fa9a
Instruction Fuzzy Hash: E8919EB1D082688FEB258B28DC946EABBB5FF84314F0441EAD84DA2680D7755FC5CF02

Function 02523E00 Relevance: 1.7, APIs: 1, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 071682226b20471e8c0d88ed6af4984a44dca9a95185c1a9fa286133cbe3ec77
Instruction ID: 351776f82971632d80512b77e75f046903c9bd3eac9f8c8e118cfd3824e76d41
Opcode Fuzzy Hash: 071682226b20471e8c0d88ed6af4984a44dca9a95185c1a9fa286133cbe3ec77
Instruction Fuzzy Hash: 13F1E3B1D045689FF7248A24DC45BEBBB75EF81310F0481FAD80E66380E6795EC68F51

Function 0251CD74 Relevance: 1.7, APIs: 1, Instructions: 428COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ad54c969940ec9d8ea0a7649e49e5e2c6d8be863fbd3def2c289cbdaa601283c
Instruction ID: 0670de0c4d4caf2b91950c774ef6cebed89c87c87914b403a374ae389a1df301
Opcode Fuzzy Hash: ad54c969940ec9d8ea0a7649e49e5e2c6d8be863fbd3def2c289cbdaa601283c
Instruction Fuzzy Hash: 9DF1CFB1D042699BE7208B24DC41BEABBB5FF85310F0481FAD84DA7640E6395EC6CF56

Function 02523D80 Relevance: 1.7, APIs: 1, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cb4a11e0cf6f2b412f1f0f38cba33cf02f8c6e71f239aeeb87e8f00ccc1120b8
Instruction ID: 1f97783358d9ffba1def834648490fdb2aa147d5f92b6adee577fa3376e5357a
Opcode Fuzzy Hash: cb4a11e0cf6f2b412f1f0f38cba33cf02f8c6e71f239aeeb87e8f00ccc1120b8
Instruction Fuzzy Hash: 12F1E4B1D045689BF7248A14DC45BEBBB79EF81310F0481FAD90EA6380E6795FC68F52

Function 0252407E Relevance: 1.7, APIs: 1, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 16f6fb687bc914980df2e4226cd21a4a0ae253a70127c48ac0865eb57b8ad609
Instruction ID: 92a3bd2fee77a3c841bfc28a539397f846709527cc8a6a0c3fce32520e4646c5
Opcode Fuzzy Hash: 16f6fb687bc914980df2e4226cd21a4a0ae253a70127c48ac0865eb57b8ad609
Instruction Fuzzy Hash: DBF1E2B1D045689BF7248B24DC45BEBBB79EF81310F0481FAD80E66280E6795FC68F51

Function 0041425D Relevance: 1.7, APIs: 1, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef8c1668dea65dddc22df6dcf046ea42bb2230d9cefcaf97b6207085495547d
Instruction ID: 55609a824f60cee9716f1d17ae3aa197f78d86d512fe8d947a7185235d935f02
Opcode Fuzzy Hash: aef8c1668dea65dddc22df6dcf046ea42bb2230d9cefcaf97b6207085495547d
Instruction Fuzzy Hash: BD61C272D046288FD724CB29CD80AEABBB5EF88304F1481EAD40DA7294D6785BC5CE56

Function 00CBADCA Relevance: 1.7, APIs: 1, Instructions: 170COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,00001000,00000040,?), ref: 00CBB3C8

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 43670d47c1e9dd491f6372380848afd5ade688905aefd68faa0b148dd1691b21
Instruction ID: d3a7b930f58a63fe5161d47a6c97acb8ff2d9c0807577b89f972309b95cef88b
Opcode Fuzzy Hash: 43670d47c1e9dd491f6372380848afd5ade688905aefd68faa0b148dd1691b21
Instruction Fuzzy Hash: F45107F2D142249BF7288A24DC51BFB7BB8EB80311F1441FEDA0E66681D67D5EC18A52

Function 025235E9 Relevance: 1.7, APIs: 1, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1b8f3c473c5db2475b4ee3a1381978e2df7d54440b434cc5529c08ee324efaa6
Instruction ID: 79e77b7fac42ea5b6251d643961e54cc4bfa4f052ed28022ba1169015066c5ac
Opcode Fuzzy Hash: 1b8f3c473c5db2475b4ee3a1381978e2df7d54440b434cc5529c08ee324efaa6
Instruction Fuzzy Hash: 38F102B1C046699BF7248B28DC44BEABB75FF95310F0481FAD80E66280E6395FC68F51

Function 0251D6FF Relevance: 1.7, APIs: 1, Instructions: 417COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 62609fd74ac5d35a35f40aaad26328c58fdb3c8cdfdf4112696467d40b72c20b
Instruction ID: 5b64706044324f1eaee341ee8d656a25802a110e0350f4dad5bf4854499f76f9
Opcode Fuzzy Hash: 62609fd74ac5d35a35f40aaad26328c58fdb3c8cdfdf4112696467d40b72c20b
Instruction Fuzzy Hash: B3F1C0B1D041689BFB218B24DC41AEABBB5EF85314F0481FAD84DA7240E6385FC6CF16

Function 0251D173 Relevance: 1.7, APIs: 1, Instructions: 417COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 018e33128fe7920b94d2d3a51bc8969b7ba01c739b6e1842258d680c394b0094
Instruction ID: a2a39752f216579d4372d561ca770e65bec97b9835aea2ea8ef91f7ab0b1ff2b
Opcode Fuzzy Hash: 018e33128fe7920b94d2d3a51bc8969b7ba01c739b6e1842258d680c394b0094
Instruction Fuzzy Hash: EA029DB1D092688AEB258F28DC416EABBB5FF89310F0480EAD84DA7650D7345FC6CF55

Function 0251DDC7 Relevance: 1.7, APIs: 1, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a342dcd9ca99331cde2bf6bdc0b9118a3b603ad6781b044250909ef620a742f4
Instruction ID: 41be12340367c249176cccb6f32444e7bfa407662bd69dab01888305d7da54e6
Opcode Fuzzy Hash: a342dcd9ca99331cde2bf6bdc0b9118a3b603ad6781b044250909ef620a742f4
Instruction Fuzzy Hash: E9F1B3B1D052689BEB208B24DC41AEAB7B5FF85314F0480FAD94DA7240E6395FC6CF56

Function 0252365A Relevance: 1.7, APIs: 1, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 632a58d4b9440c19b0648dac9262503628e974a7fdff4f71b36e79fe224860d9
Instruction ID: 1d747499290895f7de462bbe2e84227206f62e806623d3e5e982424dff33a8a9
Opcode Fuzzy Hash: 632a58d4b9440c19b0648dac9262503628e974a7fdff4f71b36e79fe224860d9
Instruction Fuzzy Hash: DBE102B1C046699BF7248B25DC44BEABB75FF85310F0481FAD80EA6280E6795EC68F51

Function 0251D129 Relevance: 1.7, APIs: 1, Instructions: 401COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: cdd4a6e1b8533941806f2e04b5779ef442f4716b0ecb1f71877b40e050b1a6c5
Instruction ID: c1f8a52d3efca01fa67b2e2b4d0c9ee3fb227bde68b51bedfb976ae181a85d0c
Opcode Fuzzy Hash: cdd4a6e1b8533941806f2e04b5779ef442f4716b0ecb1f71877b40e050b1a6c5
Instruction Fuzzy Hash: C1F1F1B1D052699BE7208B24DC41BEABBB5FF85300F0481FAD84DA7640E6395EC6CF56

Function 025237A1 Relevance: 1.6, APIs: 1, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e4f7083b0cf60427be9de7d4e641d34711a53cb34708e79f42ae3befa3e6214a
Instruction ID: b68480f685aee57ea0f06d48c413011f8161019beda311a05d2d1a58db9f520c
Opcode Fuzzy Hash: e4f7083b0cf60427be9de7d4e641d34711a53cb34708e79f42ae3befa3e6214a
Instruction Fuzzy Hash: 1FE1DFB1D046699BF7248A25DC44BEBBB75EF85310F0480FAD80EA7280E6795FC68F51

Function 0252367E Relevance: 1.6, APIs: 1, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 00c5003582102c3bd5141b44f6a213753ee386f8f9e602b80c811ecdf18253b4
Instruction ID: 15ea240492e0c153d1b1693fa98fa635027dc5eb6c4e2f362881fb01ce05f9e8
Opcode Fuzzy Hash: 00c5003582102c3bd5141b44f6a213753ee386f8f9e602b80c811ecdf18253b4
Instruction Fuzzy Hash: 22E1E1B1D046699BF7248B24DC44BEABB75FF85310F0481FAD80EA6280E6795EC68F51

Function 0251DCD2 Relevance: 1.6, APIs: 1, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c2d6c649e2e1baa43f699cb28eb06fda6a7e526f639a740b19787b5d361588bf
Instruction ID: 338e8d6985eef6b4462a80c23761a74c7ba556c08615d47bd160a3dfadcf7f95
Opcode Fuzzy Hash: c2d6c649e2e1baa43f699cb28eb06fda6a7e526f639a740b19787b5d361588bf
Instruction Fuzzy Hash: 19F1C3B1D042689BEB248B24DC41AEAB7B5FF85310F1480FAD84DA7240E6395FC6CF56

Function 0251DA71 Relevance: 1.6, APIs: 1, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f8daa251e5a91ae86092a3ceea3e50c7f022f86ad420f0dace9615d31f70abb5
Instruction ID: a4093410cfbeb263803db1151288ae1fda175f603a81f140aa2a8d4c17a523bf
Opcode Fuzzy Hash: f8daa251e5a91ae86092a3ceea3e50c7f022f86ad420f0dace9615d31f70abb5
Instruction Fuzzy Hash: 87E1D3B1D051689BE7218B24DC41AEABBB5FF85310F0480FAD84DA7241D6389EC6CF56

Function 02523BA3 Relevance: 1.6, APIs: 1, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5f5917e9f8cf0eb32351dd55a2fbac56960e89d2a089e523a6d88763b2f2355e
Instruction ID: 2d44a43ef90b3755e601e03311a6a64a8cac202e2641b123bc4d97ce68374f9f
Opcode Fuzzy Hash: 5f5917e9f8cf0eb32351dd55a2fbac56960e89d2a089e523a6d88763b2f2355e
Instruction Fuzzy Hash: CBE1F2B1D046699BF7248B24DC44BEBBB75FF85310F0481FAD80EA6280E6795EC68F51

Function 025241AB Relevance: 1.6, APIs: 1, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3f2d03fa5596b8ccd7b38283cab3cdf986f90f72586131ed3da5e7afabc67a61
Instruction ID: c93e6d162b6be3787d890e138e402728099d359155b53d86263622f64432e5c0
Opcode Fuzzy Hash: 3f2d03fa5596b8ccd7b38283cab3cdf986f90f72586131ed3da5e7afabc67a61
Instruction Fuzzy Hash: 4BE1F4B1D045689BE7248B24DC45BEBBB75EF81310F0481FAD80EA7280E6795FC68F52

Function 0251DA7B Relevance: 1.6, APIs: 1, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0cff8df51398586e2d3b212884640f1c0b977d19f6b7d56f4dfe69613170a4ba
Instruction ID: 83920ae07fe7ac036c2e06fe0d0e6a5dc4968495827f6e5c4b41fbc19d9c22cd
Opcode Fuzzy Hash: 0cff8df51398586e2d3b212884640f1c0b977d19f6b7d56f4dfe69613170a4ba
Instruction Fuzzy Hash: 6EE1D2B1D052689BE7218B24DC41BEABBB5FF85310F0480FAD84DA7241D6389EC6CF56

Function 0252369D Relevance: 1.6, APIs: 1, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 42481a7647596beb3b0faba8fa8eebc07ebb51e947738921e8d309b03c0a9e89
Instruction ID: a6981425586385abc4190bbabe6eacc4ac97d53156c537c5ebe2f0be1f4f6b63
Opcode Fuzzy Hash: 42481a7647596beb3b0faba8fa8eebc07ebb51e947738921e8d309b03c0a9e89
Instruction Fuzzy Hash: 32E1F1B1D046699BF7248B24DC44BEABB75FF81310F0481FAD80EA6280E6795FC68F51

Function 0252376C Relevance: 1.6, APIs: 1, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b5f9d08b2c31b73fd452273a6ab4e71c5e86bd892ed1c4fa35dd4a20199bb1b0
Instruction ID: 118b67149b10d998ba6d492c92e57cf4b2da27bf683b9f96c780ee033fc5a93b
Opcode Fuzzy Hash: b5f9d08b2c31b73fd452273a6ab4e71c5e86bd892ed1c4fa35dd4a20199bb1b0
Instruction Fuzzy Hash: 0FE1E0B1D046699BF7248B24DC45BEBBB75EF81310F0480FAD80EA6280E6795EC68F51

Function 0251D7D4 Relevance: 1.6, APIs: 1, Instructions: 374COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 237e44f665a9287c54dcc2fdf553b3516bc83ba852807aa9203f33f13300e365
Instruction ID: 3e806818bba4e97462d80557e8ff1280acb047352b6c359fe6188f9ad0afda32
Opcode Fuzzy Hash: 237e44f665a9287c54dcc2fdf553b3516bc83ba852807aa9203f33f13300e365
Instruction Fuzzy Hash: 45E1AFB1D041689BEB258B24CC41BEABBB6FF85314F0480EAD94DA7251D6385FC6CF16

Function 025241F2 Relevance: 1.6, APIs: 1, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8dab075495088b8315e27cdb03deece55d2ac3725a956baeed2078138db4cd1e
Instruction ID: d0a49deefb868b2c0aa5595abbdaba5916e1c943618b5ef4430151e56a16fbcc
Opcode Fuzzy Hash: 8dab075495088b8315e27cdb03deece55d2ac3725a956baeed2078138db4cd1e
Instruction Fuzzy Hash: 09D103B1D046689BF7248B24DC45BEBBB75EF81310F0480FAD80EA6380E6791EC68F51

Function 02523BD9 Relevance: 1.6, APIs: 1, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ca7d1aa2981cc0b410d31164be2f8430bf366a1ae2b28902d67bad02af66df6d
Instruction ID: 0e9436f0704ae73682aa20703bf02f0b20867ecf34756747868e5ee4df63a3a6
Opcode Fuzzy Hash: ca7d1aa2981cc0b410d31164be2f8430bf366a1ae2b28902d67bad02af66df6d
Instruction Fuzzy Hash: EEE1D1B1D046699BF7248B24DC45BEABB75EF94310F0480FAD80EA6280E6795EC68F51

Function 025236F4 Relevance: 1.6, APIs: 1, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 71e58f27764a3f980edc568aae15c1ff5ca118dbe02431360154ad41c845e861
Instruction ID: 17fc156130e6ad1ea800812723390f06f0d6b9af9c6591ff9317b949e6d48827
Opcode Fuzzy Hash: 71e58f27764a3f980edc568aae15c1ff5ca118dbe02431360154ad41c845e861
Instruction Fuzzy Hash: 61E1DFB1D046699BF7248B24DC45BEABB75FF85310F0480FAD80EA6280E6795FC68F51

Function 0251D40E Relevance: 1.6, APIs: 1, Instructions: 368COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 07eed11d892d216fe0f2b3e1e5958be9523ec0f1793a66c3d9cc5e5e93aa94c4
Instruction ID: 65f66895857b5bfc264ca05d78e637e25ccc70866d610541c4953c53e0d42fae
Opcode Fuzzy Hash: 07eed11d892d216fe0f2b3e1e5958be9523ec0f1793a66c3d9cc5e5e93aa94c4
Instruction Fuzzy Hash: FAE1D4B1E042689BE7218B28DC45AEABBB5EF85314F0480FAD84DA7241D6385FC6CF55

Function 0251D333 Relevance: 1.6, APIs: 1, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 651467fb5282a52cc7f40f43e9e9d53f021e0dc2d4ccdd7ece0196be77c287cb
Instruction ID: 7eec01b33cd8b130ba9f3dc9a287e6318f281f051eae4117b9430af3dde747fd
Opcode Fuzzy Hash: 651467fb5282a52cc7f40f43e9e9d53f021e0dc2d4ccdd7ece0196be77c287cb
Instruction Fuzzy Hash: C0E1BEB1D042A89BEB258B28CC416EAB7B5FF89314F0481EAD94DA7250E7345FC6CF15

Function 0251D30C Relevance: 1.6, APIs: 1, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c3d6d33e301f75d303773e2c299509da0a2fdfaacfbfabb127c7825e5c2aa1
Instruction ID: 0fca3516d17f8d8f55cea748eb2f6c2a7699986adc3b3532d990b4daafbe6231
Opcode Fuzzy Hash: 74c3d6d33e301f75d303773e2c299509da0a2fdfaacfbfabb127c7825e5c2aa1
Instruction Fuzzy Hash: 65E1BEB1D042A89AEB258B28CC416EAB7B5FF89314F0480FAD94DA7251E7345FC6CF15

Function 0251DAD7 Relevance: 1.6, APIs: 1, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e4f0a44b911d762e28ee48c1331face9881dd428f41a60311b09f8ca665f375e
Instruction ID: 36ab603aa2cc0c9c37e94d3d7679a037d1a38d2ce283514d06f4c39f43842330
Opcode Fuzzy Hash: e4f0a44b911d762e28ee48c1331face9881dd428f41a60311b09f8ca665f375e
Instruction Fuzzy Hash: 3BE1D4B1D042689BEB218B24DC41BEABBB5FF85310F0480FAD84DA7251D6349EC6CF56

Function 02523C2A Relevance: 1.6, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3a525df4bb406f93ab7209377e518178948875b0e0397cc8d2db14aded1d74af
Instruction ID: fa3fa2c1dcb6f2d121b1d1b3bbd9b2c68abb5b64ce3f716b20db1377ec18fd13
Opcode Fuzzy Hash: 3a525df4bb406f93ab7209377e518178948875b0e0397cc8d2db14aded1d74af
Instruction Fuzzy Hash: 0AD1D1B1D046699BF7248B24DC45BEBBB75EF85310F0480FAD80EA6280E6795FC68F51

Function 02524372 Relevance: 1.6, APIs: 1, Instructions: 356memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,39335C83,00003000,00000004), ref: 025247C6

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bebd921562a826303b43a9fad6362f24c997b2019e8907db8fac0e09e8c1d6e1
Instruction ID: 9326a8ea0a34a246e3a84c66df543eec814d4ee143a10e65e4d4b08344974841
Opcode Fuzzy Hash: bebd921562a826303b43a9fad6362f24c997b2019e8907db8fac0e09e8c1d6e1
Instruction Fuzzy Hash: 14D1D0B1D046699BE7248B14DC45BEBBB79EF84310F0481FAD80EA6380E6795FC68F51

Function 02524739 Relevance: 1.6, APIs: 1, Instructions: 351memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,39335C83,00003000,00000004), ref: 025247C6

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0239896bc62e41120d7cd9cbfe0b443268d1208fe438dae7df26f8b290800989
Instruction ID: 0f8749882f4ee287fe7f2e6699cab2048e2d2ea1676258a87c409da7d6e5e5b5
Opcode Fuzzy Hash: 0239896bc62e41120d7cd9cbfe0b443268d1208fe438dae7df26f8b290800989
Instruction Fuzzy Hash: 67D1DFB1D046689BE7248B14DC45BEBBBB5FF85310F0480FAD80EA6280E6795EC68F55

Function 0251DE07 Relevance: 1.6, APIs: 1, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8e4e53fada7c956d3d9e97cdcf6162446305fc0bea3d24ac5d20df0c9839807
Instruction ID: 5ac31cc46d72324d8c276d59ae2b06f4ee1aa1af5ee2ad10cf3240f8b5893d3c
Opcode Fuzzy Hash: e8e4e53fada7c956d3d9e97cdcf6162446305fc0bea3d24ac5d20df0c9839807
Instruction Fuzzy Hash: BDD1D3B1D052689BEB218B24DC41AEABBB5FF85310F0480FAD84DA7640D6345FC6CF56

Function 0251DE02 Relevance: 1.6, APIs: 1, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0382e3579c041baf1e75902b87e20b3b2890330330aa6ba2f862bfa4f503b8
Instruction ID: 199319d3650c1131f10fa89744897401eab9ba64806ff53643fd78eaf69a7c6e
Opcode Fuzzy Hash: 9a0382e3579c041baf1e75902b87e20b3b2890330330aa6ba2f862bfa4f503b8
Instruction Fuzzy Hash: B3D1C2B1D052689BEB218B24DC41AEAB7B5FF85310F0480FAD84DA7640E6345FC6CF56

Function 02524308 Relevance: 1.6, APIs: 1, Instructions: 340memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,39335C83,00003000,00000004), ref: 025247C6

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 44b17ac716bf454d5d1b14b4393ccfe5a47494c20ea658975a08a7d9088b8195
Instruction ID: bd608ee7a21f4e180c7f0a35d605c6351dff77f7cd9ba4c40659bd77a77d24a8
Opcode Fuzzy Hash: 44b17ac716bf454d5d1b14b4393ccfe5a47494c20ea658975a08a7d9088b8195
Instruction Fuzzy Hash: 47D1DFB1D046689BF7248B24DC45BEABB75EF84310F0481FAD80EA6380E6795FC68F55

Function 0252476E Relevance: 1.6, APIs: 1, Instructions: 338memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,39335C83,00003000,00000004), ref: 025247C6

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bf710138b889c27f14ddb7c87f2f15c26157582b878d2f81cb89e3b4f02d27d8
Instruction ID: 5538944688b8d6fc8663eaf42bdf7f81c2fce46e3f1454830d483b14666ec757
Opcode Fuzzy Hash: bf710138b889c27f14ddb7c87f2f15c26157582b878d2f81cb89e3b4f02d27d8
Instruction Fuzzy Hash: E9D1D0B1D046689BE7248B24DC45BEBBB75EF85310F0480FAD80EA6380E6795FC68F51

Function 0251D38C Relevance: 1.6, APIs: 1, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6375f69c0f6cadbe31285d290fccbfbce7bd964d03536673a7ad17be4f786e8a
Instruction ID: 12c1664a82950ad6c399723f9287dbad80d9aceda2449fcc50a8365fcd361434
Opcode Fuzzy Hash: 6375f69c0f6cadbe31285d290fccbfbce7bd964d03536673a7ad17be4f786e8a
Instruction Fuzzy Hash: 54E1BFB1D042A89AEB258B28CC416EAB7B5FF85314F0480FAD94DA7251E6345FC6CF16

Function 0251DBCC Relevance: 1.6, APIs: 1, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9805fe815e896d360da598072cc2db8a5823c085afccd6f27ca2eea2153ba6dc
Instruction ID: 0c8c6e2fe99537df8d4bbad140f2829a3d3638f791cca7f9bf18a761469d4b51
Opcode Fuzzy Hash: 9805fe815e896d360da598072cc2db8a5823c085afccd6f27ca2eea2153ba6dc
Instruction Fuzzy Hash: DFD1C3B1D042689BEB218B24DC41AEABBB5FF85310F0480FAD84DA7251D6355FC6CF56

Function 0251DB4D Relevance: 1.6, APIs: 1, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0cdf6412d54e4214d8fa388111f78104a6bedac3a2e615b9d77c9faefe24a0a6
Instruction ID: 26b7138876bc36ecfe8d0d3c869cc752294e691043ca7bfe6396eae823fd3292
Opcode Fuzzy Hash: 0cdf6412d54e4214d8fa388111f78104a6bedac3a2e615b9d77c9faefe24a0a6
Instruction Fuzzy Hash: F4D1C2B1D042689BEB218B24DC417EABBB5FF85310F1480FAD84DA7251E6349EC6CF56

Function 025242A4 Relevance: 1.6, APIs: 1, Instructions: 327memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,39335C83,00003000,00000004), ref: 025247C6

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 94d403468b8ad9dad55bdd87402976de041919405bb102ecb9b85d0a5c869a21
Instruction ID: 09610405b398674942370318635685fa960cfae63cfb1dec7ba2474c3be9b5ef
Opcode Fuzzy Hash: 94d403468b8ad9dad55bdd87402976de041919405bb102ecb9b85d0a5c869a21
Instruction Fuzzy Hash: 06C1DFB1D046699BE7248B24DC45BEBBB75EF84310F0480FAD80EA6380E6795FC68F55

Function 0252341D Relevance: 1.6, APIs: 1, Instructions: 326memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,39335C83,00003000,00000004), ref: 025247C6

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1edae8b4b8e0c4ec0422b3d18eca2b9b5342438d9f727a2010cdc2954dc62dbf
Instruction ID: 262333c9844aa958f597dd0f65b2f9fa4b6f97e92ef9f9bb6f9b97c8117cb645
Opcode Fuzzy Hash: 1edae8b4b8e0c4ec0422b3d18eca2b9b5342438d9f727a2010cdc2954dc62dbf
Instruction Fuzzy Hash: 07C1DFB1D046699BE7248B24DC45BEBBB75EF84310F0480FAD80EA6380E6795EC68F51

Function 0251D8AE Relevance: 1.6, APIs: 1, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: df01d5d106556094c180bb87b6299109c6e411b25f81c4935701fe07c72c2f0c
Instruction ID: 344263e6a3dafdbc4529dc84721d6150dffa2a45bab2bb6896fd6d0e772d252d
Opcode Fuzzy Hash: df01d5d106556094c180bb87b6299109c6e411b25f81c4935701fe07c72c2f0c
Instruction Fuzzy Hash: A9D1C0B1D042A89BEB258B28DC416EABBB5FF85310F0481FAD94DA7250D6345FC6CF16

Function 0251D456 Relevance: 1.6, APIs: 1, Instructions: 321COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c7a38b4acfb1b885bfdff268aea664d71b493676cb20487b82e645c997c3a0b7
Instruction ID: 50beba9d7fa75113edac6548d2051ded52c6d0b36fd93bbb96aa6bba4b3bbf5b
Opcode Fuzzy Hash: c7a38b4acfb1b885bfdff268aea664d71b493676cb20487b82e645c997c3a0b7
Instruction Fuzzy Hash: 36D1D3B1D082A89BEB218B28CC416EABBB5FF85310F0480FAD54DA7251D6345FC6CF16

Function 0251DE76 Relevance: 1.6, APIs: 1, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e27ce3371ade90565ce916bf504824a82134472b849b75bfb1034f88a35db6fb
Instruction ID: 0923129932fbf61b1b36519ea38f894b151d5c63e61a75266587ade6573ad90c
Opcode Fuzzy Hash: e27ce3371ade90565ce916bf504824a82134472b849b75bfb1034f88a35db6fb
Instruction Fuzzy Hash: 86D1C2B1D042689BEB258B24DC41AEAB7B5FF85310F0480FAD84DA7251E6349FC6CF56

Function 0251DB66 Relevance: 1.6, APIs: 1, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 29be6b8c867bc56436faea252415b6071dd9d5c8106e24ca3e55df0603a52e3a
Instruction ID: b00217f22602104dc929efe59178cba1ae40a18c52fa90e757bf8d5c33abe7f2
Opcode Fuzzy Hash: 29be6b8c867bc56436faea252415b6071dd9d5c8106e24ca3e55df0603a52e3a
Instruction Fuzzy Hash: BCD1D1B1D042689BEB218B24DC41AEAB7B5FF85310F0480FAD84DA7251E6359FC6CF56

Function 0251DF2D Relevance: 1.6, APIs: 1, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: df66a821b05f4b7c6b5dfc8838d9df69658f913b5a7ed26184cf2fc81de8c0f4
Instruction ID: 4aba5b40e81948315b56fcd645c0678e4c8e7c2f4b15d9063f039963b1b1e5f2
Opcode Fuzzy Hash: df66a821b05f4b7c6b5dfc8838d9df69658f913b5a7ed26184cf2fc81de8c0f4
Instruction Fuzzy Hash: 54C1AFB1D042689BEB258B24DC416EABBB5FF85310F0480FAD84DA7251E6349FC6CF56

Function 0251D921 Relevance: 1.6, APIs: 1, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6524fc4bf208f42cd4637affa885d12da86c412202bd417c8e2a36f3981b3055
Instruction ID: 0ff8b3dacbc1411641e1ce1a2176b7b24567d16e158abfb878aed6017874885d
Opcode Fuzzy Hash: 6524fc4bf208f42cd4637affa885d12da86c412202bd417c8e2a36f3981b3055
Instruction Fuzzy Hash: F3C1B1B1D042689BEB218B28DC456EABBB5FF85310F0480FAD94DA7250D6385FC6CF56

Function 0251D586 Relevance: 1.5, APIs: 1, Instructions: 295COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 56c8d68be07dd5788406c347328ba721fd60bacd34e897f8b6606a02a1661f2e
Instruction ID: 60f98304ef68af9a7bb902f98d52b4aa1bede28c626e3d8945f314e9528635fb
Opcode Fuzzy Hash: 56c8d68be07dd5788406c347328ba721fd60bacd34e897f8b6606a02a1661f2e
Instruction Fuzzy Hash: 29C1C3B1D042689BEB218B28DC416EAB7B5FF85310F0480FAD94DA7650E6345FC6CF16

Function 0251CE03 Relevance: 1.5, APIs: 1, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e0fc851b8ece82499fef03ab6016128b5ba0b2e631db8000bec33735c4b92a25
Instruction ID: c44bb3fd0fc98bdaaf44c616922ba23b04f90156796e2ecec530b07e7579550c
Opcode Fuzzy Hash: e0fc851b8ece82499fef03ab6016128b5ba0b2e631db8000bec33735c4b92a25
Instruction Fuzzy Hash: F1C1BEB1D042689BEB218B24DC41BEABBB5FF85310F0480FAD84DA7250E6355EC6CF56

Function 0251D50C Relevance: 1.5, APIs: 1, Instructions: 289COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 48530621e337c3bc95c9742e65efd2931dca66ee0a45ef8abf044a7ccf887c04
Instruction ID: 2eef3302e22082c317f0661305b6c252d1bf8b339a31415b195f171f616eccd0
Opcode Fuzzy Hash: 48530621e337c3bc95c9742e65efd2931dca66ee0a45ef8abf044a7ccf887c04
Instruction Fuzzy Hash: AAC1A2B1D042A89BEB218B28DC416EABBB5FF85310F1480FAD84DA7650D6345FC6CF56

Function 0251D513 Relevance: 1.5, APIs: 1, Instructions: 287COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c639c2e9671f76f2cea39f651a55cad2985b24a0e8426f451829d2145220683c
Instruction ID: 970d590be821e0f2fd8e6e1876f7415e6ec7807c400eaa6a22d85f1887bbba9d
Opcode Fuzzy Hash: c639c2e9671f76f2cea39f651a55cad2985b24a0e8426f451829d2145220683c
Instruction Fuzzy Hash: FFC1A1B1D042689BEB218B28DC416EAB7B5FF85310F0480FAD94DA7650D6345FC6CF56

Function 0251D96C Relevance: 1.5, APIs: 1, Instructions: 285COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 417c221c039cba8a70c980f34202d5965cb8327d2cc595b091b6a2b0553acd7a
Instruction ID: 90e74e7ce9182c30880bb921b96a7724dd80e7da84cc86b0c30c271e5a73fafa
Opcode Fuzzy Hash: 417c221c039cba8a70c980f34202d5965cb8327d2cc595b091b6a2b0553acd7a
Instruction Fuzzy Hash: 7BC1A0B1D042689BEB218B28DC416EABBB5FF85310F0480FAD94DA7650D6345FC6CF16

Function 0251E05B Relevance: 1.5, APIs: 1, Instructions: 278COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c3465f3d71e806301fa3f7ffb86aad1d29bf72c56369853b1ad61710e2431eeb
Instruction ID: bffd6505b025961b63d302ac49c35b1c83322fc22d17f3405012d227d042bbd6
Opcode Fuzzy Hash: c3465f3d71e806301fa3f7ffb86aad1d29bf72c56369853b1ad61710e2431eeb
Instruction Fuzzy Hash: A1C1B1B1D042689BEB218B24DC416EABBB5FF85310F0480FAD84DA7251E6355FC6CF56

Function 0251CDAD Relevance: 1.5, APIs: 1, Instructions: 267COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9f9f02aee59f7943ccd171892d063a1b6b4d04803551356c427d495a96b67d8f
Instruction ID: 7a2e789fdbde3cf249a32935a7e806291503078391931ac93b82d9e000c72aa8
Opcode Fuzzy Hash: 9f9f02aee59f7943ccd171892d063a1b6b4d04803551356c427d495a96b67d8f
Instruction Fuzzy Hash: 40B1AFB1D042A89AEB218B24DC417EAB7B5FF89314F1480FAD84DA7250E6355FC6CF16

Function 0251D0BE Relevance: 1.5, APIs: 1, Instructions: 264COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a3c68ba5a0ae4b3f9ede6ce816736ec0b82a7bf61cda62af62c2f489b9d9c8b9
Instruction ID: fad5e5898b05983682042bca2b8b4b38a93aacb20c38c32354321da28baf6d90
Opcode Fuzzy Hash: a3c68ba5a0ae4b3f9ede6ce816736ec0b82a7bf61cda62af62c2f489b9d9c8b9
Instruction Fuzzy Hash: BEB1A0B1D042A89BEB218B28DC416EAB7B5FF85310F1480FAD84DA7251E6355FC6CF16

Function 0251CE53 Relevance: 1.5, APIs: 1, Instructions: 260COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a2c9d2bfe0c50d5c10bfb20442ecdb689ee5930378d7364bd96a25402b470ee9
Instruction ID: f294709a28c73f8f8fe0d29e09d9fb37825afe03beeb9ea3c17c77eaebb68198
Opcode Fuzzy Hash: a2c9d2bfe0c50d5c10bfb20442ecdb689ee5930378d7364bd96a25402b470ee9
Instruction Fuzzy Hash: A4B1A0B1D042A89AEB218B24DC417EAB7B5FF85314F0480FAD84DA7250E6355FC6CF16

Function 0251E4F3 Relevance: 1.5, APIs: 1, Instructions: 257COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: cb31a84abb640be04d62deb8061670e7ab0268140fa3efd4ffbad041c17b6da3
Instruction ID: a891e9f8b702bee2fee1b9cc0cd7b449d632dc584fbca0449d21ae9b17271ec7
Opcode Fuzzy Hash: cb31a84abb640be04d62deb8061670e7ab0268140fa3efd4ffbad041c17b6da3
Instruction Fuzzy Hash: 84B1AFB1D042A89BEB218B28DC416EAB7B5FF85310F0480FAD84DA7251E6355FC6CF16

Function 0251E131 Relevance: 1.5, APIs: 1, Instructions: 253COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9ed5337de668e76555b6d822bd6acee58fa74b02fb10ff32de9dd520817a5475
Instruction ID: 0d6fadb316a878efe681b4944cbf80cb36a2e7997b2a23c1a36f336c164d1e9a
Opcode Fuzzy Hash: 9ed5337de668e76555b6d822bd6acee58fa74b02fb10ff32de9dd520817a5475
Instruction Fuzzy Hash: FEB1AFB1D042A89BEB258B28DC416EAB7B5FF85310F0480FAD84DA7251E6355FC6CF16

Function 0251E150 Relevance: 1.5, APIs: 1, Instructions: 245COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 493e42f7a3e062a671232b6eecc6bbd0d33d34aa4ad799f1b5d8bf55b8fc890e
Instruction ID: 5061b96d172f2ddb1ffcc7ce69f7e253bbecce73bb0eef7cc07a81f1a81048f8
Opcode Fuzzy Hash: 493e42f7a3e062a671232b6eecc6bbd0d33d34aa4ad799f1b5d8bf55b8fc890e
Instruction Fuzzy Hash: 66B1B2B1D042A89BEB218F24DC416EABBB5FF89310F1480EAD44DA7251E6345FC6CF16

Function 0251D1AB Relevance: 1.5, APIs: 1, Instructions: 245COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ee8bcabaf6cf8e0c50a572676a6a49afd8705cc3655e00f9b3bedd3338c817d2
Instruction ID: 8f7f1ad111e9f090488a3bd966a14b6b0c54b0824a1e168da72621c0f6afc596
Opcode Fuzzy Hash: ee8bcabaf6cf8e0c50a572676a6a49afd8705cc3655e00f9b3bedd3338c817d2
Instruction Fuzzy Hash: 9EA1B2B1D042A89BEB218F24CC416EAB7B5FF85310F1480EAD84DA7251E6345FC6CF16

Function 0251D1B4 Relevance: 1.5, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d7aca3b492e8fda41cdb94869fe373e110c29d01aeb374921c02df84d986ff5e
Instruction ID: 56a05b54e185ea42fc2e90c0fbdb1f1696d5d1100de8000b2b8fa72cb133670a
Opcode Fuzzy Hash: d7aca3b492e8fda41cdb94869fe373e110c29d01aeb374921c02df84d986ff5e
Instruction Fuzzy Hash: BAA1B2B1D042A89BEB218F28DC416EAB7B5FF85310F0480EAD84DA7251E6355FC6CF16

Function 0251E044 Relevance: 1.5, APIs: 1, Instructions: 239COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 41c7d3bd10d69fd64efbf65a09572c0039eed2639ebc93dd04def2b0f59454ce
Instruction ID: 2931d2b85398e8629542167bf4838f1c08f77ddba620312fd8579b1cd090da88
Opcode Fuzzy Hash: 41c7d3bd10d69fd64efbf65a09572c0039eed2639ebc93dd04def2b0f59454ce
Instruction Fuzzy Hash: 91A191B1D042A89BEB218F24DC416EAB7B5FF85310F0480EAD84DA7251E6355FC6CF16

Function 0251DA34 Relevance: 1.5, APIs: 1, Instructions: 238COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0251E56B

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 91f9873f1f828d18258c2f1c9a67aec2142c3cc22d78f5cb3377d3157bef2be8
Instruction ID: 3f8ef1c661dc427c0aac34a0fee494a387e6babe33a010850d02f01c914a91b3
Opcode Fuzzy Hash: 91f9873f1f828d18258c2f1c9a67aec2142c3cc22d78f5cb3377d3157bef2be8
Instruction Fuzzy Hash: 08A1A0B1D042A89BEB218F28DC416EAB7B5FF85310F0480EAD84DA7251E6355FC6CF16

Function 0041A1E4 Relevance: 1.4, APIs: 1, Instructions: 193memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0041A765

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c18102a9b549633216f5c74cc17ab2ee03f2400ae3c4efad30dd2fb6268b7355
Instruction ID: f9afdad81f8fdcf05d3c57e3674116885cebb6d07487b47504391e48ceab0545
Opcode Fuzzy Hash: c18102a9b549633216f5c74cc17ab2ee03f2400ae3c4efad30dd2fb6268b7355
Instruction Fuzzy Hash: E75104B2D012259FE7208A14DC98BEB7B79EB94314F1440F7DD4DA7380D6789ED18E92

Function 025143B0 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55f027079e7cb60564dead9fd78a46f336e1de9c2e35134dc6d9648d162ecdf
Instruction ID: be23191a443b34c94f8fac2246a75142dbd09f1a764f7e22d24a02b39b56e69a
Opcode Fuzzy Hash: e55f027079e7cb60564dead9fd78a46f336e1de9c2e35134dc6d9648d162ecdf
Instruction Fuzzy Hash: BCE113B2D042649FF7208A24DC94BEB7B75FB81314F0941FAD84E66241D6385EC5CF96

Function 025149D9 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d776b3173f28ee399caa221a489f5f5ab3d8fbc779cfd1bffe9c82644a3ca4
Instruction ID: 4c71244ad1c328735ecb56bc3703539b93b76b94b5acfb5fcb5d000c13785d84
Opcode Fuzzy Hash: c3d776b3173f28ee399caa221a489f5f5ab3d8fbc779cfd1bffe9c82644a3ca4
Instruction Fuzzy Hash: B29101A2D042249FF7148B24DC54BEB7B65FF81310F0541FAD94E6B281E6786EC1CA96

Function 02514C96 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352f2487a9d62c9517a5208b56053ed359e218441c90e30d5cf73d8cfaf54a99
Instruction ID: d0c577f39d3d4d1000329491dbc777830b9da1eba3486cac946731df0ae943e0
Opcode Fuzzy Hash: 352f2487a9d62c9517a5208b56053ed359e218441c90e30d5cf73d8cfaf54a99
Instruction Fuzzy Hash: 879132A2D146249FF7248B24DC44BEB7B79FF91310F0501FAD94E6B281E6785EC0CA96

Function 02514B83 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c1b6dd75e3f448bedbbe60c47beef4ef8e6f32f39c858370462287ae324694
Instruction ID: 1077515e351dff153d9252b173b3b12fe6b71510745fc9d3404910c45377cf66
Opcode Fuzzy Hash: 93c1b6dd75e3f448bedbbe60c47beef4ef8e6f32f39c858370462287ae324694
Instruction Fuzzy Hash: 288124A2D082648FF7149B24DC94BEB7B75EF91310F0501FAD98E66281E6385EC1CF96

Function 025149FD Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f2c22fcb8c161386fdd9af565e69adcd0a142fbdbfea471650a6e5ef1fc234
Instruction ID: d3c1d842616484a287399b77c0c2483e3b150d24524f07301feced5c3d47ff24
Opcode Fuzzy Hash: 38f2c22fcb8c161386fdd9af565e69adcd0a142fbdbfea471650a6e5ef1fc234
Instruction Fuzzy Hash: 197122A2E146649FF7148B24DC44BEA7B75EF91300F0501FAD94E6B281E6786EC0CF96

Function 02514A37 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4594d1129ccd24c4aef7ef681547a68d34dabb95191ed0ba44d4d5a32f0dcbac
Instruction ID: 20c4ea8861877435694118edf4665357f37f016e67fdd7527bee28c96114c07c
Opcode Fuzzy Hash: 4594d1129ccd24c4aef7ef681547a68d34dabb95191ed0ba44d4d5a32f0dcbac
Instruction Fuzzy Hash: 307133A2D146648FF7149B24DC44BEB7B74EF91300F0501FAD98EAB281E6395EC0CB96

Function 0251494C Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17e172ba863579ed008d12eba08a48b321337b4d2d42deeae5d5033ffb2c369b
Instruction ID: fed9923f41f4506c0e20737dac9c9a18a4070a0b0a6f3c3b36af9f1024dd8f70
Opcode Fuzzy Hash: 17e172ba863579ed008d12eba08a48b321337b4d2d42deeae5d5033ffb2c369b
Instruction Fuzzy Hash: 664189B2D045249FF7108A60DC95BE77B68EF82310F0442FAD84E96281E6786EC5CE93

Function 0251496A Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f87dac4123fe516796939c386e0ab43032901f91499b0ef24b7da3bb22314316
Instruction ID: f35796397e6d51434f274489aac1c3a3ae5f096e1e462f7e7dba90aada7eb66a
Opcode Fuzzy Hash: f87dac4123fe516796939c386e0ab43032901f91499b0ef24b7da3bb22314316
Instruction Fuzzy Hash: 634156B2D046649FF7109A60DC55BE77B68EF82310F0442FAD88EA7181D6786EC5CE92

Function 0041B0A6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

BA7K, xrefs: 0041B0ED
KMO?, xrefs: 0041B161

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID: BA7K$KMO?
API String ID: 544645111-982559411
Opcode ID: 99ddc2b67476b2347748145275dc7ec355c2bfc88c4de2235ec212d4dc09f047
Instruction ID: 8d375e5a3e5d64dc31fa456cfe304ae375048e662fcce7c09d6158256a77fdec
Opcode Fuzzy Hash: 99ddc2b67476b2347748145275dc7ec355c2bfc88c4de2235ec212d4dc09f047
Instruction Fuzzy Hash: 5141A9F2D48214AFF7108A25DC84BEB7B29EB91314F1480BBE84C56580D67C4FC28AA7

Function 0041B0BB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

BA7K, xrefs: 0041B0ED
KMO?, xrefs: 0041B161

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID: BA7K$KMO?
API String ID: 544645111-982559411
Opcode ID: b3b61a8ac74895e74504ec25524f4e5a51f69929cc0d455e9b33d0f62f99b9a5
Instruction ID: fe2ee70aaf04f7e3277a0ecce4d31d350e849c2cd53664e07033b2e423a8cb10
Opcode Fuzzy Hash: b3b61a8ac74895e74504ec25524f4e5a51f69929cc0d455e9b33d0f62f99b9a5
Instruction Fuzzy Hash: B6319BF2D44214AFF7108A24DD84BEB7729EB90314F10817BE80D56580D67C0FC28EA7

Function 0041B0D2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

BA7K, xrefs: 0041B0ED
KMO?, xrefs: 0041B161

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID: BA7K$KMO?
API String ID: 544645111-982559411
Opcode ID: 60c0dc815876eb394188417ce6fb4030e392055f8047786d3cdad65afce3ac44
Instruction ID: 518e9351469f8adbaf58ca121205b2dabd89fe75e7849debeaee1ec382721bcb
Opcode Fuzzy Hash: 60c0dc815876eb394188417ce6fb4030e392055f8047786d3cdad65afce3ac44
Instruction Fuzzy Hash: C63146F2D44604AFFB108A24DDC5BEB7765FB90314F2081BBE84D96580C67C4EC28EA6

Function 0041B0DD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

BA7K, xrefs: 0041B0ED
KMO?, xrefs: 0041B161

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID: BA7K$KMO?
API String ID: 544645111-982559411
Opcode ID: 853b9ca04643e4498b8ce249aaff31effd0ee0d80ec036a84c1b7f337f9717a2
Instruction ID: a4299aee007434edc4f1fad4cfc399e56ab5149b6caf1286c9dc6a028abbf0ef
Opcode Fuzzy Hash: 853b9ca04643e4498b8ce249aaff31effd0ee0d80ec036a84c1b7f337f9717a2
Instruction Fuzzy Hash: D7315AF2D44214AFFB108A24DD85BFB7769EB91314F1081BBE84D56580D67C4FC28EA6

Function 00CAD036 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 00CAD695

Strings

AYVP, xrefs: 00CAD03A
jjjj, xrefs: 00CAD686

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: AYVP$jjjj
API String ID: 963392458-1055777859
Opcode ID: 57a61e12a04aadf13632ff4f52ad7bc13d0528fbeb1a04166b50b0c9682dfa36
Instruction ID: 5f85b7884180dfc079fa94622e2051890ccb05d487f408c4e39dc24e7f2629d7
Opcode Fuzzy Hash: 57a61e12a04aadf13632ff4f52ad7bc13d0528fbeb1a04166b50b0c9682dfa36
Instruction Fuzzy Hash: 523105F2D443199FF7248911EC85FFA7639E780314F2442BAF90B26A84DA7D5FC18A52

Function 02518AF8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 213registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0251A26A

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: e13cb54327555cebc8225b1d9ab84f1113d8ceb505d83e68055340efedb2236a
Instruction ID: caeb945e9a2c7c80187d94162361f5bb7c9bbc5db91a15f4b8a58bc5bbad8431
Opcode Fuzzy Hash: e13cb54327555cebc8225b1d9ab84f1113d8ceb505d83e68055340efedb2236a
Instruction Fuzzy Hash: 8D7101B2C092149BF7248B24DC89BFAB775FF14310F1445FAE80E96680E6395AC5CE56

Function 02525439 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 188fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 025268AD

Strings

R, xrefs: 02525482

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: FileRead
String ID: R
API String ID: 2738559852-1968290334
Opcode ID: 7420c00f8ed87e78f41e9eda3788c77f6466de3fb47cc0b3e30b2d930fa29b42
Instruction ID: 86b15551e1174cf544621fa3b13fc731554ff1a95d6ad88aede081ec8a9397b2
Opcode Fuzzy Hash: 7420c00f8ed87e78f41e9eda3788c77f6466de3fb47cc0b3e30b2d930fa29b42
Instruction Fuzzy Hash: 675137B2D151269BE7188B24DD40BFBBB7AFFD1310F0481BAD50D962C0E2398AC5CB91

Function 0251902F Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID: Ph?
API String ID: 0-2294233904
Opcode ID: 702e1306a79956221191506d570cff936ffe6e866dbe02b021f55942832614ac
Instruction ID: 58e4ee5318620ba6044af34f9f73e1aeec3d40d0884a24696a29f7fb2ac02167
Opcode Fuzzy Hash: 702e1306a79956221191506d570cff936ffe6e866dbe02b021f55942832614ac
Instruction Fuzzy Hash: 9F519CB1D145289BFB358B18DC55BEAB7B4FF54314F0442FAD90D62280E6785FC28E14

Function 02519008 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID: Ph?
API String ID: 0-2294233904
Opcode ID: 53a87a705510311d901611027d713b48160e557bd0f5dfe9a1068ceebf4da2af
Instruction ID: d312a80a0e36c054e765ddb94bf4807647da22da1366fd6bbc7a8d521236801f
Opcode Fuzzy Hash: 53a87a705510311d901611027d713b48160e557bd0f5dfe9a1068ceebf4da2af
Instruction Fuzzy Hash: B451ADB2D045289AFB358B18DC55BEAB7B4FF54314F0442FAD90D62280E7785FC68E04

Function 00CACC7D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 143processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 00CAD695

Strings

jjjj, xrefs: 00CAD686

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 0e49e0b74dd3b5c4f80a5c6d521b45afacf2138b859b315511409426c71b6e4a
Instruction ID: c3ef967d91b8f600690d8a4f880dd1495ca99c8a5fbe2f5faac38240e28018e8
Opcode Fuzzy Hash: 0e49e0b74dd3b5c4f80a5c6d521b45afacf2138b859b315511409426c71b6e4a
Instruction Fuzzy Hash: 464125B2D442159BF3248A11EC85FFB7728E784324F2481BAED0F26A84DA7D5FC18A51

Function 00CACC8F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 139processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 00CAD695

Strings

jjjj, xrefs: 00CAD686

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: fc943ff3e22aba6163275a2c5525feb81b2eddd97a8bb28c81ff58a182882f7f
Instruction ID: 6039e2b8ddb149f6771f0c422b0f05d439bd6a9ac2834a736e6d1b22eb0ced33
Opcode Fuzzy Hash: fc943ff3e22aba6163275a2c5525feb81b2eddd97a8bb28c81ff58a182882f7f
Instruction Fuzzy Hash: 9A4126B2D442199BF3248A15EC85FE77728E784324F2441BAED0F26A84DA7D1FC18A51

Function 02525CF8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 025268AD

Strings

:PDA, xrefs: 02525DC5

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: FileRead
String ID: :PDA
API String ID: 2738559852-1201672814
Opcode ID: 5432a28f903352d3cd205a5f21f45ec29890da8dc9ad520dcd2c50fefd7f0987
Instruction ID: 3a017703bd88b968498868ac86468facd19bb70e86cbecd03181d6be0cb3561f
Opcode Fuzzy Hash: 5432a28f903352d3cd205a5f21f45ec29890da8dc9ad520dcd2c50fefd7f0987
Instruction Fuzzy Hash: 964127F3E055249FF7248A24DC45AE77B78FBC5311F0541FAE50E8A2C1E2785ACA8E52

Function 00CACC29 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 00CAD695

Strings

jjjj, xrefs: 00CAD686

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 2cd33a3824cbd3e42e59681beb5d0caa253d403d42e3c2b12ee9f94a57fbc975
Instruction ID: 1ad70903f402bef8cab1f8dbdfae4778e4cba10a59fc28b30f83528f6ed078b6
Opcode Fuzzy Hash: 2cd33a3824cbd3e42e59681beb5d0caa253d403d42e3c2b12ee9f94a57fbc975
Instruction Fuzzy Hash: 534114F2D04305AAF3284911EC85FFB3628E780314F2441BAF90B26AC4DA7D1FC58952

Function 00CAC500 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 00CAD695

Strings

jjjj, xrefs: 00CAD686

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 71548ff588c8a25b89e926bde5db5f08b0f2232d596427d4319eb5e190d85d70
Instruction ID: ead35a285c72f73bf8e384df2513b575b173bf9399e99cc220fbbd76f617a90c
Opcode Fuzzy Hash: 71548ff588c8a25b89e926bde5db5f08b0f2232d596427d4319eb5e190d85d70
Instruction Fuzzy Hash: 39317BB2D4432A5BE7308A21DC84FE7B779EB45314F0480FAF80E66680D2B91FC18E91

Function 025190F7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0251A26A

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 4c31dc82b892778bf38b3542b782e6ce7ba42086a001c0cfe11767495fa72d38
Instruction ID: 03c818aba2c01411086b5fc479a67f78e6e4ecdbd6765b5ed43b22fadcbc6381
Opcode Fuzzy Hash: 4c31dc82b892778bf38b3542b782e6ce7ba42086a001c0cfe11767495fa72d38
Instruction Fuzzy Hash: AA31D0F2D541156FF7388A18DC9ABFB7768EB80310F1441BAD90EA6680E6BC5FC18E51

Function 025191BE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 8ad9bddbd8eae0ce8c66993eb1f206818897a0a6f52c4beeaf4a53591353a7e8
Instruction ID: 727b45c0c7c47b383ad4a161b55248ce9e5dff93534e53019d150deef2d7a878
Opcode Fuzzy Hash: 8ad9bddbd8eae0ce8c66993eb1f206818897a0a6f52c4beeaf4a53591353a7e8
Instruction Fuzzy Hash: F23103F2D151159BF7388A14DC55BFA7769FB94300F0441BAD90E96680E6BC8FC18E51

Function 0251910A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0251A26A

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 490c7e86cc4ab99c72bf810ba5f23c468464c4b7f85be99d9850f39b35cee4ae
Instruction ID: f2fe3f9e6f2246e867fd4b279ec4edb288e36aea3a933394ddceec65504450b8
Opcode Fuzzy Hash: 490c7e86cc4ab99c72bf810ba5f23c468464c4b7f85be99d9850f39b35cee4ae
Instruction Fuzzy Hash: 9831C2F2D441155FF7388A18DC99BFB7768EB80310F1441BAD90EA6680E6BC5FC58E51

Function 0041B0F3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

KMO?, xrefs: 0041B161

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID: KMO?
API String ID: 544645111-3566493764
Opcode ID: d02b30af1ebc46168b3cc64ff19230de9e7d2acd7c0577e19570f0e8984fc77a
Instruction ID: a8833e74c5dfe6ae15aa5f7d3f56686113766aa345adcb28aac52213c8f94dbd
Opcode Fuzzy Hash: d02b30af1ebc46168b3cc64ff19230de9e7d2acd7c0577e19570f0e8984fc77a
Instruction Fuzzy Hash: ED3159F2D44214AFFB108A24DD84BEB7769EB90314F2581BBE80C56680D67C0FC28E96

Function 00CAC52F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

jjjj, xrefs: 00CAD686

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: a55d42a32fb0449322a8a1dc0ff1a3912b3131c29a802282ac1bd1e5f17bd2f5
Instruction ID: 7a78e5e053b77bf5dc671a8ab9f21ddf7d28c806a43e0c622b439815df66041f
Opcode Fuzzy Hash: a55d42a32fb0449322a8a1dc0ff1a3912b3131c29a802282ac1bd1e5f17bd2f5
Instruction Fuzzy Hash: 473168F2D0532A5BF7208A61DC95BE7B779EB45304F1480FAF80E66680D2B91FC18E91

Function 00CAC5F6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

jjjj, xrefs: 00CAD686

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 6675f78076dc058b8477b674f3f583a0506f49036ba4e3603563ee60faa9ef2a
Instruction ID: 3c2affd8e0a594f46d364a9467f200026d0949eb44251925112a1e64bb6c8ddf
Opcode Fuzzy Hash: 6675f78076dc058b8477b674f3f583a0506f49036ba4e3603563ee60faa9ef2a
Instruction Fuzzy Hash: 133157F2D0431A6BF7208A21DC91BE6B779EB45304F1880F9E80EA6680D2B95FC08E50

Function 02518A76 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 95f306905971f6d931cde9d6269b92bd6b8f24129d9230b6b6e3d66d04b0db07
Instruction ID: af7afdeb1e4623ca7a1192cbd81cff2bb0a3c8bb6e03994f60b2a414f377ffe0
Opcode Fuzzy Hash: 95f306905971f6d931cde9d6269b92bd6b8f24129d9230b6b6e3d66d04b0db07
Instruction Fuzzy Hash: A62128E2C145689BF7304A24DC4DBFB7B68FB41320F0846BAD84955981D7794BC9CA52

Function 00414414 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Strings

FZWS, xrefs: 00414418

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID: FZWS
API String ID: 3070290716-4186486854
Opcode ID: 603d92c9521ec5b4c15847d1b22ea47be2f3016f587f1c45e2df1241eefd7b30
Instruction ID: daa70a0f0b3ca0bf90d91e572d052b112d8ddff4875c7187838b6c3e153f0be1
Opcode Fuzzy Hash: 603d92c9521ec5b4c15847d1b22ea47be2f3016f587f1c45e2df1241eefd7b30
Instruction Fuzzy Hash: A641C471D045288FDB24CB69CD84BEABBB6EBD4305F1482EAD40C67294C7785BC9CE46

Function 00CAD067 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 00CAD695

Strings

jjjj, xrefs: 00CAD686

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: e780a790220883ea22df20e9b8649ae09045a8e63348ee44d9e2f26a2ef325de
Instruction ID: e927c39f8875f46d102ea0b85639be27a19fea01e5218c7c6c135da0ffc92130
Opcode Fuzzy Hash: e780a790220883ea22df20e9b8649ae09045a8e63348ee44d9e2f26a2ef325de
Instruction Fuzzy Hash: 003135B29083459FF7208A11EC85FFA7735E780314F2841FEF90B26A85DA7D1BC58A12

Function 00CAD086 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 00CAD695

Strings

jjjj, xrefs: 00CAD686

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 4a23adc0df1eeed32f9b51507e8ad81afeefbea58b7c7a6aa5a10580896975e9
Instruction ID: db9b2c597ff45af4f0bbceb2b2e5c81acc59fe4c9db7a7b22aeaa044f7b3e802
Opcode Fuzzy Hash: 4a23adc0df1eeed32f9b51507e8ad81afeefbea58b7c7a6aa5a10580896975e9
Instruction Fuzzy Hash: C63156B1D083459FE7248A10DC45FF67735EB81310F2841FEF90B19A81D6795F858A06

Function 02519292 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: e0bd1b4241dc25f47ea99dbaf07e388f3b30ee26c7c1d768c1dcf5709500c9fb
Instruction ID: fd8c0d04a50953d72bee9841f4c6e4b5c42dc56d638bab84fc35699c96c87da9
Opcode Fuzzy Hash: e0bd1b4241dc25f47ea99dbaf07e388f3b30ee26c7c1d768c1dcf5709500c9fb
Instruction Fuzzy Hash: 4F21E5F3D151259FF7348A18DC95BFA7768EB50310F1441BAD90DA6680E6BC4FC08E51

Function 0251965B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 279e80c552c357aa643471d0816545c1a78a8fa0ea86862ef44f9b523458aab9
Instruction ID: 6889350b727ebd1f5bff1ad758a1a47aa59f873e34c724c030b7a8bc3c29abbf
Opcode Fuzzy Hash: 279e80c552c357aa643471d0816545c1a78a8fa0ea86862ef44f9b523458aab9
Instruction Fuzzy Hash: D821B1F3C191159BF7348A14DC9ABE677A8EB10300F1801FAD90E96280E6BD8FD1CE51

Function 0041B14C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

KMO?, xrefs: 0041B161

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID: KMO?
API String ID: 544645111-3566493764
Opcode ID: 13bba247a31b2437c847d6cd7700bdefbaf720da2429000bb8402dd6dfb22b41
Instruction ID: e1d9a0bce33dd32428a726e34ee833ea0d9f13118be23c55441caf71ba35fc79
Opcode Fuzzy Hash: 13bba247a31b2437c847d6cd7700bdefbaf720da2429000bb8402dd6dfb22b41
Instruction Fuzzy Hash: D22134F2D44614AEFB108A20DD89BEF7765EB95315F2081BBE90C95484D37C4FC28E9A

Function 02519211 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 25bb8623a564ed418f2bbdf21d10ddfaff738355cacdf1c98409e42e47198c94
Instruction ID: 57a15147a0cfa2763adb2bb9734c9c0524431b044b53fafc863646c3ae61102e
Opcode Fuzzy Hash: 25bb8623a564ed418f2bbdf21d10ddfaff738355cacdf1c98409e42e47198c94
Instruction Fuzzy Hash: 4421B0F2D151159BFB388A18DC99BFAB769EB44304F1442FAD90DA6680E6BC5FC0CE50

Function 00CAD0AD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 79processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 00CAD695

Strings

jjjj, xrefs: 00CAD686

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: f9101f898db2d8a36029bf2420f67f32d0febad9086b9ba0feb513e37c3c0f5b
Instruction ID: be534ee200cc543987ce5e65b6430e130e198f9f3b2789375f64624c83c5a4a7
Opcode Fuzzy Hash: f9101f898db2d8a36029bf2420f67f32d0febad9086b9ba0feb513e37c3c0f5b
Instruction Fuzzy Hash: C421D0B29443596BF7248A11EC86FF67339E784310F2441BDFA0B26A80EA791FC18A55

Function 02518A7B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 13edbb2fdf41a77a9e19a6e66c14fe9969c3d51963dafb9452386177e3f04e3e
Instruction ID: 29ae20bbbb66127db5e0ab6a32ade12edb4339dcdf024e46d40dc7a16cd21ec6
Opcode Fuzzy Hash: 13edbb2fdf41a77a9e19a6e66c14fe9969c3d51963dafb9452386177e3f04e3e
Instruction Fuzzy Hash: 1221D7B2C141189BFB344A14DC49BFB7BA8FB44310F4846FAE84995581D7B94BC5CE92

Function 0251921C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 264b084a436f594f887778fdd8c0b62c4631b14476604caf6301183aa2824c94
Instruction ID: e6c318a6a5b0e13f0d5e5540b866d247387f3908d7d501089b855d865a11e77c
Opcode Fuzzy Hash: 264b084a436f594f887778fdd8c0b62c4631b14476604caf6301183aa2824c94
Instruction Fuzzy Hash: 5C21B2F2D155159BFB348A14CC99BFA7768EB50300F1401BA990D96680E6B84FC18E50

Function 02519676 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 5a7669389fc93df8a6035789a8f8e7b5b67481c48d6e3d534e0a1dc96153f1fd
Instruction ID: 801549fe7de700734dc91a87e85ea6923487f4b74d610bafa8f6bb443b5ce10f
Opcode Fuzzy Hash: 5a7669389fc93df8a6035789a8f8e7b5b67481c48d6e3d534e0a1dc96153f1fd
Instruction Fuzzy Hash: 1D21B3F2D151159BFB348A18DC99BFA77A8EB14310F1401FAD90DA6680E6BC5FD0CE51

Function 02519DFE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0251A26A

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 98d240a77a5661396d6d414522bf6e4efd3ba03177167a572a44909354f3e273
Instruction ID: 9f99614ecb46f2aa10ab9ba1a2d58a9e6076f047e893b18b10e3062d42058d7f
Opcode Fuzzy Hash: 98d240a77a5661396d6d414522bf6e4efd3ba03177167a572a44909354f3e273
Instruction Fuzzy Hash: FC1193F2C115189BF7248A00DD5ABFB7768EB04311F1442B7D90E96280D5B89BC1CE95

Function 00CAD5EB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 00CAD695

Strings

jjjj, xrefs: 00CAD686

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 20e4a1d0d062b5641eee1e6481d3c2aa0e3170e59113f32de7a91e4c47d48ca5
Instruction ID: 3ddb8c8dfd077ba7336d381231ed483fd937443d4aa20b4f7220ebb2bdfa978d
Opcode Fuzzy Hash: 20e4a1d0d062b5641eee1e6481d3c2aa0e3170e59113f32de7a91e4c47d48ca5
Instruction Fuzzy Hash: 4511E6F2D483196BF7248A11EC56FF67328E744710F1442FEFA0B256C0E6B92F804A51

Function 02518B3F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0251A26A

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 6dbf794af0b7b51a0206f17a9ed2908a6875852448d3b1778fbba4b10011bc09
Instruction ID: 836e64c98d409007425c4bb671b899516cc543b6ef281f7ac7ec845c88868da8
Opcode Fuzzy Hash: 6dbf794af0b7b51a0206f17a9ed2908a6875852448d3b1778fbba4b10011bc09
Instruction Fuzzy Hash: 271125F3C14418AEF7304500DC4EBFA7268E754315F084ABBD94AD1580D7BD4AC5CE52

Function 00CAD0EE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 00CAD695

Strings

jjjj, xrefs: 00CAD686

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 01c018c52c575891a276cd42e2595f61fe2e992ad3e96b7205e15bc9cb9c0f8d
Instruction ID: 6f9967a238d887d91eb467522b0da2d11522683ae953cc848f348137114c3f07
Opcode Fuzzy Hash: 01c018c52c575891a276cd42e2595f61fe2e992ad3e96b7205e15bc9cb9c0f8d
Instruction Fuzzy Hash: 091104B2A44359ABE7208A11DC41FE67339E781711F1441F9F90625A80D6751F808E55

Function 02518B32 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0251A26A

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 51378c83972f23baa74f426988e41eeeb0f22dddb31f66947647f9d532d5da3c
Instruction ID: a464dcd9834beaf05ae7bd02552677ba373bf95cbbf81544b0d9cf8a885f4d3f
Opcode Fuzzy Hash: 51378c83972f23baa74f426988e41eeeb0f22dddb31f66947647f9d532d5da3c
Instruction Fuzzy Hash: C811C4F3C15405AEF7308900DD4ABFA7268F754315F084ABAD90AD5A80D7BD8FC5CA56

Function 02519E10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0251A26A

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 2b2dc7387bcdf4d43713a0a45ef1ab58c751d8c5d6521613cd854813b91b95f3
Instruction ID: 5d543f489a17124ae88c9aae7560203bc04a862312db28a930112a2b76c8c9ac
Opcode Fuzzy Hash: 2b2dc7387bcdf4d43713a0a45ef1ab58c751d8c5d6521613cd854813b91b95f3
Instruction Fuzzy Hash: 371182B2C015149FFB248A04DD5ABFB7768EB04311F1442FAD90DA6680E6BD9BC1CE95

Function 00CAD1B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 00CAD695

Strings

jjjj, xrefs: 00CAD686

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 671597b5841e1523677900ca648f68f3dce3c1f2a16d4d310ee05830db68df72
Instruction ID: 16ac86e7d4b7586ecf701950c33421be7bfd7d10ba9b5e314d505b9921aa3601
Opcode Fuzzy Hash: 671597b5841e1523677900ca648f68f3dce3c1f2a16d4d310ee05830db68df72
Instruction Fuzzy Hash: A71102B1D08359AAFB208A11DC41FEAB335F784755F2441F9F90B26A80E6752FC08E54

Function 02518AC1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0251A26A

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 8ebb7f44dc88f47b29242ba9c07b06a7087df78b28fd08135412bed4800c61aa
Instruction ID: a956e883feae44c2b8f401261a3c5d5f7bef87f77c722424679a9049ebdd7dea
Opcode Fuzzy Hash: 8ebb7f44dc88f47b29242ba9c07b06a7087df78b28fd08135412bed4800c61aa
Instruction Fuzzy Hash: 9801D2F2C140049AF7348900ED4ABFB7668F704324F0846BAE90AA55C0D7BD4BC4CA56

Function 02518DCE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0251A26A

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 895539d09c69e3d99d4039e310c8cda62506051b27437a81f0f61ad221e42880
Instruction ID: d420082142f587f3e4ad3091b4d0b81628196ab4a7466b3eee50b118b7d23404
Opcode Fuzzy Hash: 895539d09c69e3d99d4039e310c8cda62506051b27437a81f0f61ad221e42880
Instruction Fuzzy Hash: 0211C0F2C144099FF7308900DC4ABFA72A8FB54314F0849BAD90AA2680E7BD4BC4CA56

Function 00CAD1CF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 00CAD695

Strings

jjjj, xrefs: 00CAD686

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: b3fd1f676b41be3c7fefdaab99349340e42fe0549185fb0b33c63de6c3970fd0
Instruction ID: 29d36a06e0fffa982b8fff33a29aaf5d79592af33f9362f2829d3b18ccccfa16
Opcode Fuzzy Hash: b3fd1f676b41be3c7fefdaab99349340e42fe0549185fb0b33c63de6c3970fd0
Instruction Fuzzy Hash: BA1104B1908759ABF7308A11DC42FBAB375F784714F2446EDF50B25A80D6752F808E44

Function 0251A1EB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0251A26A

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 19d02807c26f27d9082fc2cf19c97259831d7769e88bf91d0daee58d33c2b969
Instruction ID: 68c24bbc3ccf0a385110a79b318645c9a1da8676c555a73345a57a70b534f144
Opcode Fuzzy Hash: 19d02807c26f27d9082fc2cf19c97259831d7769e88bf91d0daee58d33c2b969
Instruction Fuzzy Hash: 330180F2C15558AFFB248A50DC46BFB72A8EB14310F1406B6E909E6280E6BD8FC4CE55

Function 02518E73 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0251A26A

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: bcbd25e33be6df7c240c6772f86f96a0e9d9afef977ae2b3194d36c4305a70b2
Instruction ID: 2653cef851d3b9298aa825bca7842918017e317022714d5cfbbdb56411551ad6
Opcode Fuzzy Hash: bcbd25e33be6df7c240c6772f86f96a0e9d9afef977ae2b3194d36c4305a70b2
Instruction Fuzzy Hash: 2E01D2F2C040089FF7308900DC4ABFA7268E744314F0845BAD909A1680D7BD4EC4CA11

Function 02519E35 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0251A26A

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: ad56a847cf1d184b0cc1197c6656717f9f5fa0db7cc025dfa61769f14cab1f55
Instruction ID: e53c3e75bc6c26e40a5b3b3075be08cd36c382fd16ee3be2030a50617f7ce7c0
Opcode Fuzzy Hash: ad56a847cf1d184b0cc1197c6656717f9f5fa0db7cc025dfa61769f14cab1f55
Instruction Fuzzy Hash: 4F0184B2C045149FF7248A04DC5ABFB7768EB04311F1401FAD90D96680E6BD9FC1CE51

Function 0251F18E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02520631

Strings

LM5I, xrefs: 0251F18E

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID: LM5I
API String ID: 823142352-636820872
Opcode ID: 8041f6fd757f819b02b9295a78ed3599f2050d8a86f546a68e0d34c4d1aeefde
Instruction ID: 9c0c2bbdcd788c74195bc746493cadc43d785f274057be6444ebf5a7bd5e4881
Opcode Fuzzy Hash: 8041f6fd757f819b02b9295a78ed3599f2050d8a86f546a68e0d34c4d1aeefde
Instruction Fuzzy Hash: 6D11F9709083695EE7294720DC55BF77B34F742310F1106FAE69A690C1C7B45BC4CB55

Function 02519DA5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0251A26A

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 3a3b4d872d00907e024bfea48f28e23352baaa1bf3722df526724f65230a50d5
Instruction ID: d555c803965438440c380f70e6603b611c20ef38e2dfe456dde192355efea749
Opcode Fuzzy Hash: 3a3b4d872d00907e024bfea48f28e23352baaa1bf3722df526724f65230a50d5
Instruction Fuzzy Hash: E1019EB2D164559BFB288A10CC5ABFA7264E754311F1441FA9A0A96AC0DABC5BC0CE54

Function 00CAD141 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 00CAD695

Strings

jjjj, xrefs: 00CAD686

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: CreateProcess
String ID: jjjj
API String ID: 963392458-48926182
Opcode ID: 17eebd6ff0cc23bccf174c00acd3298e12e15a67c5097a27dd00a7016d4282da
Instruction ID: 3a1e9f2132dab0948ae2583aad7e0bca4d96ecb5e7518f466d674a2d02b07792
Opcode Fuzzy Hash: 17eebd6ff0cc23bccf174c00acd3298e12e15a67c5097a27dd00a7016d4282da
Instruction Fuzzy Hash: 840192B1D49359ABFB208A01DC42FBAB335F784755F2445EDF50B25A80D6752F808E44

Function 02518E99 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0251A26A

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: e409757587de11cc06cc3eb2245f3ae08f8f7438957788bce93b7c946f51ffdb
Instruction ID: ae61ab9147d740cbf98962236745e15b26968526edf0b0286dbe376fcb76d4d6
Opcode Fuzzy Hash: e409757587de11cc06cc3eb2245f3ae08f8f7438957788bce93b7c946f51ffdb
Instruction Fuzzy Hash: 9E01D1B3819558AFF7308A10DC4ABF773A8EB18310F0805FA9949D5581DABD8FC4CE51

Function 02519E50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0251A26A

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 06870867217520493dd483d047cf1d903f39d1949e3e299f1fb5acbc8bb80cca
Instruction ID: 1b0c28c4984c6dbfa697ecdd08799abe72fab3e4469ed62a190ea306321af867
Opcode Fuzzy Hash: 06870867217520493dd483d047cf1d903f39d1949e3e299f1fb5acbc8bb80cca
Instruction Fuzzy Hash: 8D0162B2D015199FFB348A54CC8ABFA73A8EB14311F1405F6D909E6280D6B99FC1CE51

Function 0041BDD6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Strings

7B3Y, xrefs: 0041BDD6

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID: 7B3Y
API String ID: 544645111-3648703178
Opcode ID: 402b31f7f363f5216cc02f1bb72fd21bbf69a199207760692237c803016cef72
Instruction ID: 39c24c1019937b6ea7643b79ac288d22b60a49ec9098781e8e542d4fc01bf98a
Opcode Fuzzy Hash: 402b31f7f363f5216cc02f1bb72fd21bbf69a199207760692237c803016cef72
Instruction Fuzzy Hash: A5F0C2F2C94121AAF7105524EC89FFB766CEB04760F140076E90DE6140E27D8FC14AA6

Function 02519D03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0251A26A

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 7687824290d268f32db0b1a6aed371750a53d220b1dbf58684d34b246b07754a
Instruction ID: e40b47c2225f7d268619eea4a851e0d492fe38efd045cbdc9d2d14bb0fa419e3
Opcode Fuzzy Hash: 7687824290d268f32db0b1a6aed371750a53d220b1dbf58684d34b246b07754a
Instruction Fuzzy Hash: EC016DB3C055199FFB348A00DD46BFA73A4E714311F1445F6D909E6680E6B99FC0CE55

Function 0251A21A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0251A26A

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 650e375969ee91eb7d61586d58c686ad4378dda41dd1c39cbc5344c100570039
Instruction ID: 1e563c98fa5e7f178cccdd18ad3ebf0e5e4db47db6116164dcdea8a3e6971322
Opcode Fuzzy Hash: 650e375969ee91eb7d61586d58c686ad4378dda41dd1c39cbc5344c100570039
Instruction Fuzzy Hash: 2F016DB28055589BFB348A50CC46BFA73A4EB14311F1405EAD909E6680DAB88FC0CE50

Function 02519729 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0251A26A

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: 2b028382a26eb4ab443adde483ad036362c1bc18c5a20c2d182064a1b4ee5b53
Instruction ID: cad4cc9c90b5d8664dcc04ff5d8f91526dd0ad81bb62d4053ea2e9aed4e4f50c
Opcode Fuzzy Hash: 2b028382a26eb4ab443adde483ad036362c1bc18c5a20c2d182064a1b4ee5b53
Instruction Fuzzy Hash: F3F09AF3C15419ABFB348A04DD4ABF672A8E714311F0401BA9909E6680EABD8BC4CE91

Function 02519D41 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 0251A26A

Strings

Ph?, xrefs: 0251A256

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Open
String ID: Ph?
API String ID: 71445658-2294233904
Opcode ID: e9d8f012683396562eba65902f3409bb8acdf4f3cab097b9e8b8d01ae3c5dad7
Instruction ID: ac2fbb6b8d7ba402e941e40f74e671c66a8e200c528e688b6f702fadf7c00e6c
Opcode Fuzzy Hash: e9d8f012683396562eba65902f3409bb8acdf4f3cab097b9e8b8d01ae3c5dad7
Instruction Fuzzy Hash: C8F062B2C055199FFB34CA00CD4ABFA73B4EB14311F1441EAD909E6680EAB88FC0CE54

Function 00CA51B9 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

R, xrefs: 00CBCC30

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID: R
API String ID: 0-1968290334
Opcode ID: 41ea33fafc5a193e20359fbf685e9c7d015d36e54ecfdcec850efbe4f8625a11
Instruction ID: d66b7e08287286336507948b963805a2d69865a449802fea14b7e186311e081e
Opcode Fuzzy Hash: 41ea33fafc5a193e20359fbf685e9c7d015d36e54ecfdcec850efbe4f8625a11
Instruction Fuzzy Hash: 96715CE2D142249AF7284A24DC99BFB7B74EB90311F1441FED90E266C0E67D1FC18E62

Function 0041534B Relevance: 1.7, APIs: 1, Instructions: 228COMMONLIBRARYCODE

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 94afcbb885cf53290e66505c55b729cd1521856f59a8a97a08a6583f317ab976
Instruction ID: 5da083a13cbec819ad66447ac4a4433cd97ef7fe8c929fb70d11da4aac454fbb
Opcode Fuzzy Hash: 94afcbb885cf53290e66505c55b729cd1521856f59a8a97a08a6583f317ab976
Instruction Fuzzy Hash: 6791D2B2D056288FE724CA18CD94EEABB7AEB94310F0481FAD80D67644D6396FC5CE51

Function 02516A77 Relevance: 1.7, APIs: 1, Instructions: 225COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: e2b63121a7237b4f9da24cc850a1d108a15f5c9fb56ae945bc7815ed446ab38c
Instruction ID: f63df33dec1e5524e697b35486c3d9520456c1f132b03a1649684eff785a5eeb
Opcode Fuzzy Hash: e2b63121a7237b4f9da24cc850a1d108a15f5c9fb56ae945bc7815ed446ab38c
Instruction Fuzzy Hash: 12A199B5D056688BEB24CB19DC84ADABBB5BF98310F0881EAD80DA3240D7355FC6CF45

Function 00CB9DA6 Relevance: 1.7, APIs: 1, Instructions: 210COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,00001000,00000040,?), ref: 00CBB3C8

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7f632b43c2978e626a775be146d36414eb64096a4668847a9124ab2e56533294
Instruction ID: be569d987f0823734a7e0e99fef162a196d905edeadfca588990f7b7323c72b1
Opcode Fuzzy Hash: 7f632b43c2978e626a775be146d36414eb64096a4668847a9124ab2e56533294
Instruction Fuzzy Hash: 537158B2D052248BF7248B14DC80BFB7774EF91320F1481FAEA4D56681EA395EC1DB62

Function 0251C472 Relevance: 1.7, APIs: 1, Instructions: 203registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,?,00000000,00000001,?,?,?,?,?,?,?,?,?,024F86BE,?,024F86BE), ref: 0251C4DE

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e4fd2907da36f65f7a5c845060741da4704abea0f6c435ec56fc27d1b4932cad
Instruction ID: b9cc726d166e53d67fd5115a1bf0534a6e1b18a9d8c9db28b7dd6e0b05d1aa61
Opcode Fuzzy Hash: e4fd2907da36f65f7a5c845060741da4704abea0f6c435ec56fc27d1b4932cad
Instruction Fuzzy Hash: 47918CB0D082689FEB258B28DC916EABBB5FF84310F0441EAD84DA2680D7755FC5CF42

Function 00414396 Relevance: 1.7, APIs: 1, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 69fabe70b1fd51af6b3deb31db2cea1ae100585615818b6fcfea11a3d86a283a
Instruction ID: 74472a5ec9c3fe4c55886525d6277c6099a2e3a899cf84f746c226c7d4f7be60
Opcode Fuzzy Hash: 69fabe70b1fd51af6b3deb31db2cea1ae100585615818b6fcfea11a3d86a283a
Instruction Fuzzy Hash: 8A81D071D045288FD724CB29CD80BEABBB5EFD4305F2481EAD40DAB294D6785BC6CE16

Function 02516F2F Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 5914107311a3ac3ce1dab1553ddb14044e64c5ff14d232a04c9389f23df93f57
Instruction ID: b236293303e4f29d378dd608648340e2e806cd8653ea766567d994caee98d8d3
Opcode Fuzzy Hash: 5914107311a3ac3ce1dab1553ddb14044e64c5ff14d232a04c9389f23df93f57
Instruction Fuzzy Hash: B061E5B2D002649BF7248A14DC84AEBBBB9FB89310F1441FAD90D27640D3396FC6CE56

Function 02517BC1 Relevance: 1.7, APIs: 1, Instructions: 183COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 67560035323ca2dd15b8ef660c9d5badd7915aa4b9a78fd4e7ad4a1348b5cca7
Instruction ID: ea0ea1e23fc6c47a96e0fec0731baf21f64d2e114ccb2a1a3c035d0d74de8bea
Opcode Fuzzy Hash: 67560035323ca2dd15b8ef660c9d5badd7915aa4b9a78fd4e7ad4a1348b5cca7
Instruction Fuzzy Hash: 1A61DEB1D044299BF7248A18DC80FFBBBB5EB85315F1481FAD84DA6680D7385EC1CE65

Function 0251696A Relevance: 1.7, APIs: 1, Instructions: 180COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 125a294ef5c36d7183e05301948edf83d0152bb5db3eb0dc3ddc0b2c46114312
Instruction ID: 870dc7e76b10b0cad6664fddcaa8f945143680c42cd31ff6ad0f43203cf3db95
Opcode Fuzzy Hash: 125a294ef5c36d7183e05301948edf83d0152bb5db3eb0dc3ddc0b2c46114312
Instruction Fuzzy Hash: DB51F6B2D092649FF7248B25DC44AEA7F79EF82310F0482FAD48D56181D6785EC6CF92

Function 00CBAC5B Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d8b3d8a8b7e05abb63f9e6c29597ee53dee3dba17a1561580634f674960650
Instruction ID: 17c34f3138f6a8d661f7678f445038bb37c19646e6db1f6d708d8e610f03b172
Opcode Fuzzy Hash: 31d8b3d8a8b7e05abb63f9e6c29597ee53dee3dba17a1561580634f674960650
Instruction Fuzzy Hash: DC5112F2D14114AFF7288A21EC55BFB7779E780310F2081BEE60EA6684D77D5EC18A52

Function 0252A7BD Relevance: 1.7, APIs: 1, Instructions: 169fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,39335C83,?,00000000), ref: 0252AACA

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: bb9757195bf4f8f7944c309c7ff9768c265f45819a14f02cc556601f1370058f
Instruction ID: 57abd3734dddf9dbb8fa44911ff06598968209ef777fac733f2ca6d2933130cd
Opcode Fuzzy Hash: bb9757195bf4f8f7944c309c7ff9768c265f45819a14f02cc556601f1370058f
Instruction Fuzzy Hash: 4351D0B1D059249FEB24CB15CCA0BEBBB75FF82316F0481EAD909672C1D6345E85CE45

Function 02516DBE Relevance: 1.7, APIs: 1, Instructions: 169COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 1481d6d2a0244f89ee74657369efe138f11a263d14944dd0cb98da27421ac2be
Instruction ID: ff2bb3106d91e91b21c62d4b6004c81c34fc7619eb901f95260e5f08d9cce732
Opcode Fuzzy Hash: 1481d6d2a0244f89ee74657369efe138f11a263d14944dd0cb98da27421ac2be
Instruction Fuzzy Hash: 96513DF2D006289BF7248A14DC94AEB7B78FB85314F0542FAD84D16640D7385FC6CE56

Function 0041B167 Relevance: 1.7, APIs: 1, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b188b488870be0d63c804a91aa24403ff496910c39b4714d1202630702dd8b41
Instruction ID: 5eb8a8448e9747efaf3da59d438536a3872c4ba8ef0fe848cc8911fc0669e231
Opcode Fuzzy Hash: b188b488870be0d63c804a91aa24403ff496910c39b4714d1202630702dd8b41
Instruction Fuzzy Hash: 085146F2D14514AEF7108A20ED49BFB7729EBC0310F1581BBE90D56680E27D5FC68E96

Function 00CBB172 Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,00001000,00000040,?), ref: 00CBB3C8

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1dbea85e08f120facb33bb16fcfe2f847bf018053f274599ee80c0f4ae8a0320
Instruction ID: 115b1c7c12f719f9fb9ad756c71020a7a5029da1d438b0a96235917d7bae0e03
Opcode Fuzzy Hash: 1dbea85e08f120facb33bb16fcfe2f847bf018053f274599ee80c0f4ae8a0320
Instruction Fuzzy Hash: A65103B19045548FEB248A54DCA1BFF77B5FB80305F1841FADA5E91281E7B86FC08E52

Function 0041426D Relevance: 1.7, APIs: 1, Instructions: 165COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 5b9cef5876871ef860a7b9ddcd7ffc2314b146a0be43456346f0c17103360a35
Instruction ID: 4652117e78e9cc9174df9fd7aca45beb414f1d66f0228a25086f5055323ef6d2
Opcode Fuzzy Hash: 5b9cef5876871ef860a7b9ddcd7ffc2314b146a0be43456346f0c17103360a35
Instruction Fuzzy Hash: 9261C472D046288FD724CB29CD80BEABBB5EF84314F1481FAD40DA7294D6785BC5CE56

Function 004142A3 Relevance: 1.7, APIs: 1, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: dace4513ce2d01881ee98a636057fc093739a387667d6c98dcb3984c1d210af4
Instruction ID: 354559b6e0ec4942fac12a682cf88070519995023233c89dc636c1a5bf674757
Opcode Fuzzy Hash: dace4513ce2d01881ee98a636057fc093739a387667d6c98dcb3984c1d210af4
Instruction Fuzzy Hash: 0451C272D046288FD724CB29CD84BEABBB5EF94304F1081EAD40DA7694D6785BC6CE15

Function 00414104 Relevance: 1.6, APIs: 1, Instructions: 149COMMONLIBRARYCODE

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: c44a5d4f10f26ec8e72f5833469cc3b2d84adfb5e56cd85292d99afe3777968e
Instruction ID: 712dc68a1969bcd2a0c3b9d9b4921174b69998797709ff70c56a16a647395e35
Opcode Fuzzy Hash: c44a5d4f10f26ec8e72f5833469cc3b2d84adfb5e56cd85292d99afe3777968e
Instruction Fuzzy Hash: 5951E3B2D041249FE724CE18CD84BEABBB9EBD9304F1481FAD40D66644C27D5FCA8E56

Function 00419372 Relevance: 1.6, APIs: 1, Instructions: 148memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3083e419c3d9e6480fd32b0993d170d550e93f6310235d0c32bb902dc2c603b4
Instruction ID: 99e7b545ccbaa957486604864e207e50a3fcec8a1cfa27bc5654eb7ca8e894d2
Opcode Fuzzy Hash: 3083e419c3d9e6480fd32b0993d170d550e93f6310235d0c32bb902dc2c603b4
Instruction Fuzzy Hash: 784157F3E845946AF3105625ECC8EEB7B39EBC1720F15817BEA4D06540E13D4EC78666

Function 0251FEAA Relevance: 1.6, APIs: 1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da95c60a2f2290913b44df64bc613ca7d4ad97c45158b969886f54cd6e6cea2a
Instruction ID: e9ba541840dafd2a35d56c3a019729452a5c697c7ff5fc006a608db505163991
Opcode Fuzzy Hash: da95c60a2f2290913b44df64bc613ca7d4ad97c45158b969886f54cd6e6cea2a
Instruction Fuzzy Hash: 314115B2D05264AFF7208620DC54BFB3B79FB82310F5041FAE949662C1D6785FC5CA51

Function 0041C1B1 Relevance: 1.6, APIs: 1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c964157a4bbe23cff09bc642527391c298c4e1ed3a9d9687d112ead79ebee1
Instruction ID: 0b6f59b6b6d3cfd861e1fbfe3200ae47590d169f594d32d849546e56cd24c172
Opcode Fuzzy Hash: b0c964157a4bbe23cff09bc642527391c298c4e1ed3a9d9687d112ead79ebee1
Instruction Fuzzy Hash: 8A41C5F2D81118AFF7208A15ED85FFB7739EB80720F1081BAE90D56680E57D5FC28A56

Function 00414D58 Relevance: 1.6, APIs: 1, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: a1ffedfa88a64bb8f7f009315ef642e864b881b42f32b6fc3e272b0c1a8e0b62
Instruction ID: 8510f6737f21d201435da05b607a92284732eba51f39eaa5104f9459c9101aee
Opcode Fuzzy Hash: a1ffedfa88a64bb8f7f009315ef642e864b881b42f32b6fc3e272b0c1a8e0b62
Instruction Fuzzy Hash: F55149B2D046188FE718CF18DD85EEBBB78EB84305F1482FAE40D56244C2795FC68E56

Function 0251FC4C Relevance: 1.6, APIs: 1, Instructions: 142fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02520631

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 12a11dc55488555c729821c51ab2ee1804d64fba4171177662ae8cdc4eabd4f4
Instruction ID: 5cc84b0bfef81cd29980abeb98b380f4d9f0ba51e28e752fd0a3f2f37e1be06a
Opcode Fuzzy Hash: 12a11dc55488555c729821c51ab2ee1804d64fba4171177662ae8cdc4eabd4f4
Instruction Fuzzy Hash: EE4126F2D05164AFF7248620DC44BFB7B79FB82320F1540BAD849662C1D5796FCACA61

Function 004142D4 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 1dff4a8858965d962a7214038015fe3e452d0c84c234b5380a04a3415c05ee73
Instruction ID: 77ef6881700b987b81de9bf48cdf69f853f7c68a40219863844ae437f75d0b6a
Opcode Fuzzy Hash: 1dff4a8858965d962a7214038015fe3e452d0c84c234b5380a04a3415c05ee73
Instruction Fuzzy Hash: 3A51CF72D046288FDB24CB29CD84BEABBB5EF88304F1081EAD40DA7694D6785BC5CF55

Function 0251F232 Relevance: 1.6, APIs: 1, Instructions: 139fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02520631

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 23fa30e7450061f4ec11ec0109344f1777b0f1f36e043ac854ea365d7431bf63
Instruction ID: 9874847f50335af1d768e3f1562e37e2e1ec6c4e08dfe8e39a3340e9b8c82d85
Opcode Fuzzy Hash: 23fa30e7450061f4ec11ec0109344f1777b0f1f36e043ac854ea365d7431bf63
Instruction Fuzzy Hash: 56614C74D092A88BEB258F28CD917DABBF1BF89314F1482E9D84D62280DB715BC5CF45

Function 0252A74E Relevance: 1.6, APIs: 1, Instructions: 137fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,39335C83,?,00000000), ref: 0252AACA

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 68ba2e1cc03c23ea0d85380a56166930d97824b6f58ffc12c77f336bd13fc2c8
Instruction ID: 977cc0c84cf324cdba1ea37f5b1d8221cedc5e17d877a99a0ab77c6291108436
Opcode Fuzzy Hash: 68ba2e1cc03c23ea0d85380a56166930d97824b6f58ffc12c77f336bd13fc2c8
Instruction Fuzzy Hash: 92517EB1D049688FEB24CB19CCA0BAABBB5FF45316F0441E9D909A72C2D6359EC5CE44

Function 025168EF Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 0058eba37d5968374fdc1d88ca00b5d09873c1be7980bcdca6bee0019c9dba3c
Instruction ID: df53d507e933b63b39abab2a6a2a0de48bf9d82a46bc16b9d5c0d9114bc7905b
Opcode Fuzzy Hash: 0058eba37d5968374fdc1d88ca00b5d09873c1be7980bcdca6bee0019c9dba3c
Instruction Fuzzy Hash: E4414DB1D046695FEB204B25CC447FABFB9EF82311F1445F6D48D56085D27849C6CF62

Function 004142F1 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: d703739dcc62d8a373c12cb740604d7b2ffe371f64ba0e38c6ccb2ff5b11d3e6
Instruction ID: a95f8b4f8273bcb9d2d181dd2978678393635b89f95089999ba4ef6c692bb06a
Opcode Fuzzy Hash: d703739dcc62d8a373c12cb740604d7b2ffe371f64ba0e38c6ccb2ff5b11d3e6
Instruction Fuzzy Hash: BA51A172D046288FDB24CB69CD84BEABBB5EF88304F1081EAD40DA7294D6785BC5CF55

Function 0041C284 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205441354c442d359b9ca109ecd276ea969f71895a9351bf16406c6415bfe714
Instruction ID: 46e0b00ebc6eb9bcb03271a8495a55bc968b0dcc0d981941ef5fd1a4ad505cfe
Opcode Fuzzy Hash: 205441354c442d359b9ca109ecd276ea969f71895a9351bf16406c6415bfe714
Instruction Fuzzy Hash: 3341D4F2D842186FF7208A15ECC9FEB7779EB80720F1081BAE90D66640D67D5EC28A51

Function 0041BF96 Relevance: 1.6, APIs: 1, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 88049b2436f670f32f5c05f0a14641e2d4bba6b238b077e77781700beb504722
Instruction ID: 2feab9ee19067b8e97210a11674b33bcb4e8d797b33c880cc8bcbca311ad26eb
Opcode Fuzzy Hash: 88049b2436f670f32f5c05f0a14641e2d4bba6b238b077e77781700beb504722
Instruction Fuzzy Hash: 8031E7F2D84114ABF3148615EC89FFB7739EB80720F10817BE90D56640D57D5FC28A92

Function 0041B321 Relevance: 1.6, APIs: 1, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: fe2f2b333b14317d796991e5424d744c1d03e43c91866c4a65c8d091c5e6875c
Instruction ID: aa53cda9ceb571ee80f8be6ebc02d2f47c7e66558542d501c8ce2179d5b77dff
Opcode Fuzzy Hash: fe2f2b333b14317d796991e5424d744c1d03e43c91866c4a65c8d091c5e6875c
Instruction Fuzzy Hash: 1A41AFB2D54224DEEB248A14DD85BFB7378EB55310F1441BBD94DA6240E27C4EC28FAB

Function 02517A0A Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: edb8a330beaf055332ab78f71f60c65789ac4f712a73d27a4aed3777bd1578be
Instruction ID: 2ea77bc96dfeed2783ee6c43e112fcf8fe021ec624576d33c16b0dd5b62bbdc9
Opcode Fuzzy Hash: edb8a330beaf055332ab78f71f60c65789ac4f712a73d27a4aed3777bd1578be
Instruction Fuzzy Hash: 5A418EB1D046688BEB24CB14DC85AEAB775FF88304F0442EAD84D56281D7346EC2CE56

Function 025171C5 Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: a3cc2aaf763d4fa07826c75cc463a09cc0218d72d990bbe6f8fbb05acaf1f9be
Instruction ID: 5fb74d2ecf3587763b44e69f6914f3bb8a7daef69a3d5a1c2c237f3c6a3e615f
Opcode Fuzzy Hash: a3cc2aaf763d4fa07826c75cc463a09cc0218d72d990bbe6f8fbb05acaf1f9be
Instruction Fuzzy Hash: 6041E8B2D045289BF7288618DC84BEBB7B8FB88311F1441FAE51E26640D7395FC6CE56

Function 0251FC0E Relevance: 1.6, APIs: 1, Instructions: 116fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02520631

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 791a6fd18d2050e85401f70a614c137e4bf74c762a86be795800a21359ee62b9
Instruction ID: 1a127c9729cc266ac5f2aa40662ddb0e46d9518138b724f00a0c675c3c0beef4
Opcode Fuzzy Hash: 791a6fd18d2050e85401f70a614c137e4bf74c762a86be795800a21359ee62b9
Instruction Fuzzy Hash: 843167F2D061A4AFF7209A24CC04FFB3B38EB82310F1101FAD449662C1C6785BC9CA66

Function 0041BFAF Relevance: 1.6, APIs: 1, Instructions: 116memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3e757a347584695c95b8e24b60f1be5f06669791e8b38290b028b70552da0810
Instruction ID: c4174c3c8e217db58aecc394a33ba799527f526a41de3c13ba44ca3b0b764bfd
Opcode Fuzzy Hash: 3e757a347584695c95b8e24b60f1be5f06669791e8b38290b028b70552da0810
Instruction Fuzzy Hash: 0531D4F2D94218AFF3108615EC85FEB7B39EB80720F1081BBD90D56640E67D5EC28A62

Function 0251FFC1 Relevance: 1.6, APIs: 1, Instructions: 114fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02520631

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b3aa9734bbf19bee1a8e4dc9e145389dabc12d23c09db066f6a0764569cebdb9
Instruction ID: 8ee93ee58cc0481fcf74b703d06cd2935fe6e03d96e44b58ae947bdd64fe5e98
Opcode Fuzzy Hash: b3aa9734bbf19bee1a8e4dc9e145389dabc12d23c09db066f6a0764569cebdb9
Instruction Fuzzy Hash: E83117B2D06274AFF7209624CC44BEB3B79EB92310F1500FAD449662C1D6795FC9CB65

Function 0041B357 Relevance: 1.6, APIs: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 99f78b2838dc24c1a6437147204bd087541be8bb370cfba4d857946196ebc2e9
Instruction ID: 7ed53395caa21f7b3c410da4e7945bcd8528c72d6928e0d30ed7d2bcbbb404b2
Opcode Fuzzy Hash: 99f78b2838dc24c1a6437147204bd087541be8bb370cfba4d857946196ebc2e9
Instruction Fuzzy Hash: DD31D4F2D54224DEF7108A14DC85BFB7268EB55315F1441B7DD4DA6280E23C8FC28AAB

Function 0041C57A Relevance: 1.6, APIs: 1, Instructions: 113memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c03982353d849f4d13dfe7243795b8810ad57a14e9c19c150b1504909e3416e3
Instruction ID: 63e734a770d13442acf5b90e8729e305554c4c5889bf1bbc50e466e158164a72
Opcode Fuzzy Hash: c03982353d849f4d13dfe7243795b8810ad57a14e9c19c150b1504909e3416e3
Instruction Fuzzy Hash: DD41C0B2D401259BE724CB14CD84BFA77B6EB84310F1481FAD90D97341D638AFC18E95

Function 0251FFCA Relevance: 1.6, APIs: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02520631

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 42178603d7ab2d1ac17919a4fd8b547041b49aa1440923dae2dcb41814d226a0
Instruction ID: 8f655e8bdfca4e3779b436d0a6f45f12dc092fc3bd3f8a7a9047de92077df9bc
Opcode Fuzzy Hash: 42178603d7ab2d1ac17919a4fd8b547041b49aa1440923dae2dcb41814d226a0
Instruction Fuzzy Hash: C33127B2D062B4AFF7209624CC44BEB3B79EB92310F1500FAD4496A2C1C6795FC9CB65

Function 0252A8CA Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9177b0a9e938e3f35d58e8a43f7ee428a347faeff2f679e08fdff3d920d909
Instruction ID: 649d4d31d1560f6b4297e6c183d9e4e174746a59515e974cdbb343cdb8f6afc8
Opcode Fuzzy Hash: 5c9177b0a9e938e3f35d58e8a43f7ee428a347faeff2f679e08fdff3d920d909
Instruction Fuzzy Hash: 46419071D095788BEB24CB14CDA0BBBBB72BF82306F1481EAD509A72C5D7345E89CE44

Function 0251716A Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 745722b8fa5c98059095b65e62d4944ee473dd45068db6f2ba47b941b8082dbd
Instruction ID: 7a3508d674d05b4561b82d7798d19177b955d68652ce49be56e1bf21be03d4b2
Opcode Fuzzy Hash: 745722b8fa5c98059095b65e62d4944ee473dd45068db6f2ba47b941b8082dbd
Instruction Fuzzy Hash: AF31FAB2D045289BF7248654DC84BEBBBB8FB88311F1441FAE90E26640D7785FC6CE56

Function 0041B365 Relevance: 1.6, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 270623a6fffc7a5390213c2cf577ce37a0ac3c57082a4d28100a4a0a64223e4d
Instruction ID: 27b9315497d67c21ac6cbdb30c69bda87acd6ef53a1b774bc9ca31b08d0e4be9
Opcode Fuzzy Hash: 270623a6fffc7a5390213c2cf577ce37a0ac3c57082a4d28100a4a0a64223e4d
Instruction Fuzzy Hash: A331E6F2C54224DEFB108A24DC85BFB7378EB54315F1441B7DD4DA6280D23C4EC28AAA

Function 02517846 Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: a67c4aaac8379c43ba13a82659dafb82c721bcd7db40b2decc114491c33c9208
Instruction ID: bfea49792e126d43ee47abd324e5223a4462df3e92c2e34f0b4355a58e6dd663
Opcode Fuzzy Hash: a67c4aaac8379c43ba13a82659dafb82c721bcd7db40b2decc114491c33c9208
Instruction Fuzzy Hash: 0E31B9F2D106699BE720CA15DC84BE7BB78EF49320F0442B6D84DA6240D7385FC5CEA6

Function 00CBB039 Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,00001000,00000040,?), ref: 00CBB3C8

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e8ae591026a63cb32db82e1f0e1bb3d8e74b7f49fa105618a1ab488529890076
Instruction ID: ffa6c5e1ff1bec8f727a7a9f804f1f5e1b77306999fa4046c5a502b4fe7327c6
Opcode Fuzzy Hash: e8ae591026a63cb32db82e1f0e1bb3d8e74b7f49fa105618a1ab488529890076
Instruction Fuzzy Hash: 8541ADF2E055149FF728CA14DD90AFAB379EB90300F1481BDDA1E66381E779AF818E51

Function 00414183 Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 8b04ebbbf99e946f062d1021a27fceecf90a2f510773073852aaf20d9f76b600
Instruction ID: 4aa9dd345d65673ae35b8cab957c95532e7913973518a568fb6600fc6e3f9187
Opcode Fuzzy Hash: 8b04ebbbf99e946f062d1021a27fceecf90a2f510773073852aaf20d9f76b600
Instruction Fuzzy Hash: 2541E471D046148FD724CF28CD94B9ABBB5EF88304F1481EAD40C5B694C6795BCA8E46

Function 0041C2F0 Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5c08fd63016c21b054a6d4b97e32bd7cdb6e1055b874df71d07cfc2cdb0edb0c
Instruction ID: 9d5b88f1c960774d4efb7aa11a6dd023ade0870204a481e5dba98c68c14b446f
Opcode Fuzzy Hash: 5c08fd63016c21b054a6d4b97e32bd7cdb6e1055b874df71d07cfc2cdb0edb0c
Instruction Fuzzy Hash: 4F31B5F2D90218AFF7148A15EC85FFB7739EBC4710F1081BAE90D56640D57D5EC28A51

Function 0041C7BC Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f8f6bf0f49c63ab113c5fb94be09d9e35a705a8614ad253c5605735188b8dd27
Instruction ID: ec8584b82749eddaff723e03cdd0ac27e46c595c0f8ba890d68954015b3ec337
Opcode Fuzzy Hash: f8f6bf0f49c63ab113c5fb94be09d9e35a705a8614ad253c5605735188b8dd27
Instruction Fuzzy Hash: 6A3124B2D441149AF7208625DDC8BFF77B9EBC0315F2082BAD80952684D63C5FC68F16

Function 0041C2FB Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 087af003d2c6aecd528f344c7898fca4f91eca59398a5df4cbe05b0923b8066a
Instruction ID: d09cf651d443cb215b716fd051fa4d1b5624b0e3c4e014868eb832b7ee8ef0fa
Opcode Fuzzy Hash: 087af003d2c6aecd528f344c7898fca4f91eca59398a5df4cbe05b0923b8066a
Instruction Fuzzy Hash: 8631F6F2D842586FF7208A15ECC5FEB7B39EBC0320F1481BAD94D5A240D57D5EC28A51

Function 02525E97 Relevance: 1.6, APIs: 1, Instructions: 95fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 025268AD

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 980d4f9c0594ec5e3625a330df5072e1a9a06ba0c54eef38a03e2065b36915d5
Instruction ID: 6556efa4a9d72467e9608f209d87cf592075731ea4678585c5360caf58b8bd51
Opcode Fuzzy Hash: 980d4f9c0594ec5e3625a330df5072e1a9a06ba0c54eef38a03e2065b36915d5
Instruction Fuzzy Hash: C63181F3E15524ABF7248904DC45BE77678EB55320F0501B9E90EA6280D27D9FC98EE2

Function 0041E7D7 Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(D7402EF8), ref: 0041EB1A

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 09368e63e61e2c47f4eaaf64b3950bf91abfc78235432b2168633ae65f0d3cad
Instruction ID: 5c1fe2416a71743b778ff8e2b8cb4bc43bbdeee689d1b485fa42de58ad80d312
Opcode Fuzzy Hash: 09368e63e61e2c47f4eaaf64b3950bf91abfc78235432b2168633ae65f0d3cad
Instruction Fuzzy Hash: 9031C6B5E050249BE724DA46DC84AEAB3B5EBC4310F2441FBD80E57740D6396EC2DE52

Function 02517227 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 35d2be0f3afe690cfa87839833d3bc922edd977e0f108692452067e283ec207b
Instruction ID: d6a75a71bd14e5acfd188fcdf886cc06b8dab7b2a071bfff7efc25ea79293260
Opcode Fuzzy Hash: 35d2be0f3afe690cfa87839833d3bc922edd977e0f108692452067e283ec207b
Instruction Fuzzy Hash: B231B8B2C045189AF7288614DC44BEBBBB8FB88311F0441FAF40E16640D7795FC6CE56

Function 004143A3 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 96559d7694a33e1b7b4efc8e3965b644090e5ae2ca5c3619efd5ac7bbfda6c6e
Instruction ID: 116aae0212982470610d8f9ad3a36960232f92fc9faf5f3fb8aca13d1b4f2768
Opcode Fuzzy Hash: 96559d7694a33e1b7b4efc8e3965b644090e5ae2ca5c3619efd5ac7bbfda6c6e
Instruction Fuzzy Hash: 4F41B231D045288FDB24CE69CE44BEAFBB5EBC8305F1081EAD40D67258C7785BC98E45

Function 004141B8 Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 2fc0eeadff207568cca7dcb4fbcef6fe7664858f449bca4b767402626a16a58a
Instruction ID: c5c19074c1bc517cfb4e99979305f2d3fbb0855d6f43c8a964ed9ea0c0c518e7
Opcode Fuzzy Hash: 2fc0eeadff207568cca7dcb4fbcef6fe7664858f449bca4b767402626a16a58a
Instruction Fuzzy Hash: 2941C371D045688FDB24CF28CD54BDABBB6EB88305F1081EAD00D67258C6795BCACE06

Function 0041B3B3 Relevance: 1.6, APIs: 1, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7f9427ee2f33c5a440c246799a95018a16772016a72100cf7cb0a27e99c90fbd
Instruction ID: 9c1a9001044c622c2f847de708c3531db389a9513c7c57bf811be2ce39cb404e
Opcode Fuzzy Hash: 7f9427ee2f33c5a440c246799a95018a16772016a72100cf7cb0a27e99c90fbd
Instruction Fuzzy Hash: 9121E5F2C54224EEFB108A24DD89BFB7668E754311F2481BBED0D95180D27C8FC69E96

Function 00414428 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: eaca00dad9ba84399146d56927ab985843105f9f20e434babf3ab1bae463e13b
Instruction ID: 787630a6ba4259c6403da4272c90618b296ca9eb70a4db4fd61ac04506f884da
Opcode Fuzzy Hash: eaca00dad9ba84399146d56927ab985843105f9f20e434babf3ab1bae463e13b
Instruction Fuzzy Hash: E3418371D045288FDB24CE69CE44BEABBB6EB88305F1482EAD00D67598C7785BC68E45

Function 0041C446 Relevance: 1.6, APIs: 1, Instructions: 88memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 86e97e1faf6b00ca9278dd765ad78635d3628a71100cc6318bcc18d34d3f025b
Instruction ID: be66c48b443587916ed005937928d5abe58e2042da19c046050b0beb7e4afe9e
Opcode Fuzzy Hash: 86e97e1faf6b00ca9278dd765ad78635d3628a71100cc6318bcc18d34d3f025b
Instruction Fuzzy Hash: 1B2120B2C84229AFFB108A20DC94BFBB729FB84310F1441FAD80D67241D2385EC1CA99

Function 0041E651 Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(D7402EF8), ref: 0041EB1A

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: f109e4b462d7857c3be94e2b25fc65e8de68c33f243585afe2a7d423f3b5de96
Instruction ID: fd5f3af250789f5e77abe30f527b58b209837658ec80ee6443f09c5c1eaf8454
Opcode Fuzzy Hash: f109e4b462d7857c3be94e2b25fc65e8de68c33f243585afe2a7d423f3b5de96
Instruction Fuzzy Hash: AE2132B6E011285BF7248609EC48BEB3B76EFC5310F0082BAD94E17381D9391ED2CE56

Function 004143B4 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: f8c177bf0bc4a92a67295a7be0c612f450c36cbf2b02f4136c9e627815d3e7ea
Instruction ID: 170d6e925add39181b451bff31c36bb6feb967943693711c8479eb7de1c19891
Opcode Fuzzy Hash: f8c177bf0bc4a92a67295a7be0c612f450c36cbf2b02f4136c9e627815d3e7ea
Instruction Fuzzy Hash: D931A231E045288FDB24CF69CE44BEAFBB5EB88305F1482EAD00C66258C7785BC9CE55

Function 00414132 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: b8791626b0082a9d7c61dbc4c56b5a3d76055929a220cb0c2aed3d2d602de655
Instruction ID: f48832b56edbd67bda688911a6fafdd5577ef626b60235d5dec7ba198ea9dbf0
Opcode Fuzzy Hash: b8791626b0082a9d7c61dbc4c56b5a3d76055929a220cb0c2aed3d2d602de655
Instruction Fuzzy Hash: 1131D472D045288FDB24CF18CE44BEABB75BB88309F1441EAD40CA7254C7B95FC98E46

Function 0041B44D Relevance: 1.6, APIs: 1, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5c77610562ae0228eae20f590a737f4dab55bc69e8762c6646d690f3f4b0f4ad
Instruction ID: 6f53da0b11d78231b6d6f4a5f951a4899369c68c80632bdeb73f74c5c298d02e
Opcode Fuzzy Hash: 5c77610562ae0228eae20f590a737f4dab55bc69e8762c6646d690f3f4b0f4ad
Instruction Fuzzy Hash: 1E21BFB2C54624AAFB208A20DC85BFB6668E750325F2441B7D94DA6180D67C8FC28E96

Function 0251725D Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 11cdda6e4f29b2329c5243d86f0fbf9f121a52922a52ba51477b7d2ce1393254
Instruction ID: 8eaf9bd51ce3ab3ea596a6eb18e0a7436d1abec863bb7d7a143b53d9945c3606
Opcode Fuzzy Hash: 11cdda6e4f29b2329c5243d86f0fbf9f121a52922a52ba51477b7d2ce1393254
Instruction Fuzzy Hash: 0621D8B2D045289BF7248614DC84AEBB7B8FB88311F0541FAE80D16640D3795FC6CE56

Function 0252003A Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5ef102c5c952777ccb098b019105a12bab50ead88baa41ce315e2415d708a40c
Instruction ID: 727a6a8945622b506c1633ae1c9ade1865ce7ebc31027b2009204bd3ae9798c6
Opcode Fuzzy Hash: 5ef102c5c952777ccb098b019105a12bab50ead88baa41ce315e2415d708a40c
Instruction Fuzzy Hash: B721F4B1A422A4AFF7214620CC54BEB7B79FBC2310F1500FAD5496A2C2C6741BC9CB15

Function 0041C4CE Relevance: 1.6, APIs: 1, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 80c91dc67fb32f82d433488fe960f91ee42225ba173d31f321c4fdf529d9f448
Instruction ID: b4a8a42af984394b528e29277132206578b59c34f1a163ca8424d3de88360327
Opcode Fuzzy Hash: 80c91dc67fb32f82d433488fe960f91ee42225ba173d31f321c4fdf529d9f448
Instruction Fuzzy Hash: C521DEB2D80229ABEB209620DC85BEB7739FB44310F1440FAD84DA7240E23C5FC18E95

Function 02517276 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 6526f16f95859e7ee94ae9c2885e2aff3aa3018455aa0a90f80b138e3c0bbc60
Instruction ID: 11b267944406b596364b60b1c327aee4b2b64d5eef241c11625d99a58fd6deec
Opcode Fuzzy Hash: 6526f16f95859e7ee94ae9c2885e2aff3aa3018455aa0a90f80b138e3c0bbc60
Instruction Fuzzy Hash: 2021C9B6C146289BF7248A54DC44AEBBBB8FB88311F0441FAE80D66640D3385FC5CE56

Function 02516D5B Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 071e0ba2a4330bd2670d94ce3b9d03382c8e291beb9aeb1e2be9e84d50fdc96e
Instruction ID: bf45695783898ed06a7a733acc91dd239789f5ea4e00a64616aa3bda9b5b9e9d
Opcode Fuzzy Hash: 071e0ba2a4330bd2670d94ce3b9d03382c8e291beb9aeb1e2be9e84d50fdc96e
Instruction Fuzzy Hash: 1621F9B6C155289BF7248644DC84BEBB778FB88311F0441FAE80D66640D3785FC5CE56

Function 02517D4E Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 852bc356184da13c937408f6a3ec90cd80aea761ced9d1a8c3236ac17325f98e
Instruction ID: d91461b0ed8e2a18e570571116d841a88c49a53dba0a68377da471450af1adb0
Opcode Fuzzy Hash: 852bc356184da13c937408f6a3ec90cd80aea761ced9d1a8c3236ac17325f98e
Instruction Fuzzy Hash: B221F8B2D045299BF7208654DC94BE7BBB4EB45311F1442F6D84DA62C0D6785FC1CE92

Function 02516EA8 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: ee5390707d3518ed124f7087bff1e3fb683fff2fc0e2d3a99e434ef75eec7224
Instruction ID: 16252975944e798ff1bf3458aa30c7816de610d1b0637eb2fad1ccab9c6f0a55
Opcode Fuzzy Hash: ee5390707d3518ed124f7087bff1e3fb683fff2fc0e2d3a99e434ef75eec7224
Instruction Fuzzy Hash: 9C21C6B6C105289BF7288A54DC84BEBB7B8FB88311F0541FAE90D66640D3785FC6CE56

Function 02520052 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 473f7ef9b01ce703fd949d31cbb76ee2ff466edff89be1e8deba3a1158114838
Instruction ID: d3083426c4d8a5ca2541cdeb055bd1f61c2c07beb1da92d71ff344ad8e28a428
Opcode Fuzzy Hash: 473f7ef9b01ce703fd949d31cbb76ee2ff466edff89be1e8deba3a1158114838
Instruction Fuzzy Hash: 532104B19062A4AFF7219620CC50BFB7B79FB82310F1541FAD589A62C2C6741BC9CB15

Function 02516E25 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d9190cba3ba96e9024bedc3ff984d03ec3cb6d846a86afd16c8923b5393415c5
Instruction ID: 4e9a20842b95d15468efc5b805b2b446d22169457471908c0397af40ae48136e
Opcode Fuzzy Hash: d9190cba3ba96e9024bedc3ff984d03ec3cb6d846a86afd16c8923b5393415c5
Instruction Fuzzy Hash: 1421C6B6C105289BF7248A54DC84AEBB7B8FB88311F0441FAE80E66640D3785FC5CE56

Function 004141FB Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 49954132de3c07094ee499b7b3437e0d74b86a06f7189128f23b4220989fc526
Instruction ID: 58cbb210449243d3ad46e30b7af81cf0905a9e6f15068d571d836ac8cde04e56
Opcode Fuzzy Hash: 49954132de3c07094ee499b7b3437e0d74b86a06f7189128f23b4220989fc526
Instruction Fuzzy Hash: 0431B271D045688FCB28CF68CE94BDAFBB6AB88305F1081EAD00C67558C7785BC9CE46

Function 02525127 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 025268AD

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 426436f8db68228f40b69dd4ed3219267f6325ff45afaec00a4bc56e3ba3804b
Instruction ID: f3333610b9fa70989aebfe8250676b1333f1f924276956a778578959f12949ff
Opcode Fuzzy Hash: 426436f8db68228f40b69dd4ed3219267f6325ff45afaec00a4bc56e3ba3804b
Instruction Fuzzy Hash: 582123B2E040159FE7248614DC14BFBB778FB81325F0482FAE50E862C1D6799AC98E91

Function 00414167 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: e5a33aefab0d4a658201acb92a5da6016c11bbb5b3e8883c2c6556af6a16f349
Instruction ID: b3ec0fa55708011be8ab682fb5598677abf9f677e3d31b49d892cd183e820624
Opcode Fuzzy Hash: e5a33aefab0d4a658201acb92a5da6016c11bbb5b3e8883c2c6556af6a16f349
Instruction Fuzzy Hash: 8C31C472D045288FDB28CE18CE54BEAFB79BB88309F1442EAD40D67254C7795BC98E46

Function 0041BD9A Relevance: 1.6, APIs: 1, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9fb5f30b76c6658914bc96059179d9616396ec0a719f6d39f68e2e71b77bd3e5
Instruction ID: 420a81046e9d43b7fd88c678774b18eb7fae84c4d578eaea0850c52fd5a66209
Opcode Fuzzy Hash: 9fb5f30b76c6658914bc96059179d9616396ec0a719f6d39f68e2e71b77bd3e5
Instruction Fuzzy Hash: 671181F2C54254ABE7245620EC56BEB77A8EB04310F1441BBE90EA6140DA7C9FC18B96

Function 0251EE44 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02520631

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 286435bbb50076fb906b22fd5c791587cae8490bb97f698facd0da2f981f0ef6
Instruction ID: 0eaeffe30063d6cc2a625fdfa7d503c0748681f765e6628508a814c75e1c29ce
Opcode Fuzzy Hash: 286435bbb50076fb906b22fd5c791587cae8490bb97f698facd0da2f981f0ef6
Instruction Fuzzy Hash: CA11D3B1E083A86EFB258620DC55BE77A68F782314F0111BAE699651C1C2B85BC5CA16

Function 025172CA Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: e30166cbfb847f33f10dc9a0d1f5e295825716b22ecda471e2197bcf92a4bf90
Instruction ID: f2a5bc079597dfa055a413b6fdc5a8b1c7d0145f6fe91ff977b65a4116d1d56a
Opcode Fuzzy Hash: e30166cbfb847f33f10dc9a0d1f5e295825716b22ecda471e2197bcf92a4bf90
Instruction Fuzzy Hash: 9011C4B6C05A285BFB248A50DC84AEBBBB8FB48311F0042FAE54D56640D2785FC6CE91

Function 00415368 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: fffd537b50bc22be30234d3c1970548c3f62d62aaec4d30157c9f07abb9480d9
Instruction ID: 21bb769881fb6d545dc4e2cf582016435fe674fe5678618669afce9e50332be4
Opcode Fuzzy Hash: fffd537b50bc22be30234d3c1970548c3f62d62aaec4d30157c9f07abb9480d9
Instruction Fuzzy Hash: 73316F75D05A288FDB28CF18CE94AEABB79FB98305F1081E9D40C67254C7796BC5CE44

Function 0041B49A Relevance: 1.6, APIs: 1, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 259de0db5b6fd6bd7cc189d2b32fb75b7f2b3471ca6239219715c73f6aafa49d
Instruction ID: 5af42319bfea09a23fe02515ddb0c1a57fc9b2e7178c853a166a89f33ffe5cbe
Opcode Fuzzy Hash: 259de0db5b6fd6bd7cc189d2b32fb75b7f2b3471ca6239219715c73f6aafa49d
Instruction Fuzzy Hash: FF1129F2C98614AEF7104620DD89BFB722CE754325F2441B7ED0D96180D27C5FC65A9A

Function 00414531 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 588f086301bc42b8613a801edaf6268299a3d9738604243ab604a9157250af10
Instruction ID: 49c510807b60eb2822e07266f43ee40d336899d8b8ba5be9ce473cffbd7d8c6d
Opcode Fuzzy Hash: 588f086301bc42b8613a801edaf6268299a3d9738604243ab604a9157250af10
Instruction Fuzzy Hash: 4D319435D086648FCB28CF28CE98BD9BB75AB88305F1542EAD00D67194C7795BC9CE45

Function 00414175 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 63aef3c27a6dcbbef21aa139902d1aeeef29c91b371723a8dea3f3a828165de4
Instruction ID: d1146e0852971d154727119566392c91db69529ef9053fd9789abc78be3655d5
Opcode Fuzzy Hash: 63aef3c27a6dcbbef21aa139902d1aeeef29c91b371723a8dea3f3a828165de4
Instruction Fuzzy Hash: E3318172D045288FDB28CF1CCE94BDABB75AB88309F1441EAD40DA7254C7B95BC98E45

Function 025172B1 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 7eb476148465c7f3ea511d81fd962fc0e80fcbef7f934ff6cb3c3b581005804a
Instruction ID: 11ee9c6a42975ba574506ea9371782efe3bfacf8889b67d3972f479161949b94
Opcode Fuzzy Hash: 7eb476148465c7f3ea511d81fd962fc0e80fcbef7f934ff6cb3c3b581005804a
Instruction Fuzzy Hash: 7611E6B6C04628ABF7248654DC44AEBBBB8FF44311F0481FAE94D66640D3395FC6CE56

Function 025201C4 Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02520631

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 294e74a8505973351756a1cf8f0102c9b1fa671fdd0dc04da5d69149d6855ac7
Instruction ID: 1257a4fbdfa0c51f6f7d1ba6ca9b3bde6a91da0fa305c3b543fa92c0cb559f4c
Opcode Fuzzy Hash: 294e74a8505973351756a1cf8f0102c9b1fa671fdd0dc04da5d69149d6855ac7
Instruction Fuzzy Hash: 7711E6B19052A86FF7218720CD24FFB3B39FBC2310F1042E9E588A51C6C2741BC68B55

Function 00414489 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 1a140839b2206c035e0c9caff8f865aeb95db792c3a4da02e0c9616e15febd99
Instruction ID: 05649ab263e6e927e73eec75f55cdade34765d7516b142371889ee9e572bca1a
Opcode Fuzzy Hash: 1a140839b2206c035e0c9caff8f865aeb95db792c3a4da02e0c9616e15febd99
Instruction Fuzzy Hash: D4318271D045288FDB28CE2DCE44ADAFBB5EB88305F1481EAD00D67658C7795BC9CE45

Function 025169B5 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 3a7094f511edf89e9aa52eec18bc2f961a147243dd10debba773007dac8d76dc
Instruction ID: 0e93ce5ede563c0b3d82773f8b36af4778f0f9ea3faedce88c42348cc363d5e2
Opcode Fuzzy Hash: 3a7094f511edf89e9aa52eec18bc2f961a147243dd10debba773007dac8d76dc
Instruction Fuzzy Hash: 3711C1B2C05AA85FF7208615CC44BD67F79EF81310F0545F6C84C6A185C2B86ECACFA6

Function 0041E9E4 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(D7402EF8), ref: 0041EB1A

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 3e1768d45e2e46194e9bf9f9893c900781775049a40accb1a001e2b2b6d744bb
Instruction ID: d8a2eff88b74671ee8be78405892aa35910b2fa02a1bec7ebbd6c9c57302a9eb
Opcode Fuzzy Hash: 3e1768d45e2e46194e9bf9f9893c900781775049a40accb1a001e2b2b6d744bb
Instruction Fuzzy Hash: E121C275E041598FEB24CB65DCD46EEBB70BF85345F2441EAC86917281C2381AC5CE05

Function 0252A9D4 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,39335C83,?,00000000), ref: 0252AACA

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: f7031d6038f35a0e0f63b90f1021d9fd54d0399181d4eacf800700310aed3e30
Instruction ID: f87064d49661932af24694eb4bfecfdfbf228ba4df72661d8e9922ffdfe1fb8b
Opcode Fuzzy Hash: f7031d6038f35a0e0f63b90f1021d9fd54d0399181d4eacf800700310aed3e30
Instruction Fuzzy Hash: 0711D3B1C055289FEB20CA14CD90BABBBB4FF41312F1482EAE809972C1E7355E88CF55

Function 0252008A Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: abb34a87a6320760f8e9ef98ff727c522c87b87e0c34628d138609342a3b6fed
Instruction ID: d8c89c42216056f99ccf0feb0b4116ccccd2fcbd8235dec302f0e2b2c388b50e
Opcode Fuzzy Hash: abb34a87a6320760f8e9ef98ff727c522c87b87e0c34628d138609342a3b6fed
Instruction Fuzzy Hash: 1611B2B1D062A86FEB219A20CC50BEA7B74BB92310F1105EAD589A62C2C6741FC9CB14

Function 0041421A Relevance: 1.6, APIs: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 5084487c1bea1109eec6d5f5d9948dedc8079a88211566eef2eed86633aabf16
Instruction ID: d6d5769e93a8c9cd52ac2ad9dcde85ad284d2dac803e3b132b7bcc7469727fb3
Opcode Fuzzy Hash: 5084487c1bea1109eec6d5f5d9948dedc8079a88211566eef2eed86633aabf16
Instruction Fuzzy Hash: B3217171D045288FDB28CF18CE84BDAFBB5AB88309F1581EAD00D67258C7B95BC98E45

Function 0041B552 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 83e2e4ad383e4afa489dfc4e2cb96589c3001f722bd055590bf81d01202b4cc5
Instruction ID: a850253ff0dbd4349ebab1a360f3da01b656d18c2b1874bc2c1f28f3f955c30a
Opcode Fuzzy Hash: 83e2e4ad383e4afa489dfc4e2cb96589c3001f722bd055590bf81d01202b4cc5
Instruction Fuzzy Hash: FB112BF2848250AEF7108620DC9ABFB7778EB50315F2440BBD94D99081C67C4FC68F5A

Function 025250EA Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 891ffd35cbd1485c54bc83f321f0162f0fc186c21752f18b14b2e8d0fa493192
Instruction ID: ad58d69b3e6e0c701b1caff62413233a2e27a6831a61f9590d48e1e463d15ef0
Opcode Fuzzy Hash: 891ffd35cbd1485c54bc83f321f0162f0fc186c21752f18b14b2e8d0fa493192
Instruction Fuzzy Hash: 63012DF29044159BE7188604DC55BFB7368FB91312F0006BDD60A551C0E7795EC88ED6

Function 0041C862 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ae63c5e048257067f3039b6b756ea3c59987e09f916fa158ceb6cb2ecfc5f1ac
Instruction ID: e858660d510e690c2047beaeef7fdd18c3cd5906502f33c8ff84e4139ec550f7
Opcode Fuzzy Hash: ae63c5e048257067f3039b6b756ea3c59987e09f916fa158ceb6cb2ecfc5f1ac
Instruction Fuzzy Hash: C711ECB2C94218AEE7108A24EDC8BEF7679FB44714F1081B6E909A1580C63D8FC59B45

Function 0041C869 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5d06fe31072f73db7e5db8156dcd5d6a683aef41863dccfe8814adc02f562b47
Instruction ID: 8c6524c0a6b907e5bf9f1507986ee31cd24442be3ee6fb2aa89a94f501fa2c04
Opcode Fuzzy Hash: 5d06fe31072f73db7e5db8156dcd5d6a683aef41863dccfe8814adc02f562b47
Instruction Fuzzy Hash: 7D11ECB2C94219AEEB108A20DD88BEB7B79FB48310F1081B6D808A6584D63D8FC58B45

Function 02516745 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: b045d057c2fc95598acea5fd6ce7c7dacc7c5efa29f601d2f1507b584ecb0121
Instruction ID: 5280e9048f956dc85472404a0bda8910249ab273fc5ea450b9a000bcdff7ab0e
Opcode Fuzzy Hash: b045d057c2fc95598acea5fd6ce7c7dacc7c5efa29f601d2f1507b584ecb0121
Instruction Fuzzy Hash: A401C4B3C04A686AF7204616DC49BD67B6CEB50321F0546B6D80C66280C2BD2FCACE96

Function 025169C7 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 6432c8318c6c31d735ccae393ef13977569b52f5fd1d5cea3a4b4cf10df1951f
Instruction ID: 116becbdf071ddfa05b20cf53fc60b175bcc1910358e8ed10dfd56b506c2edde
Opcode Fuzzy Hash: 6432c8318c6c31d735ccae393ef13977569b52f5fd1d5cea3a4b4cf10df1951f
Instruction Fuzzy Hash: 531108B2D046685BF7204616CC48BD7BF79AF80321F0582B6C80C22180C3B86ECACE92

Function 02516A64 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: bbe8450253977bca0c062904586e0d32b2b2549ffbc811a1b10c1af19117d04b
Instruction ID: df3525043108303170cd80683e41ea06fd14e8bba330e92101b87b2e348f8943
Opcode Fuzzy Hash: bbe8450253977bca0c062904586e0d32b2b2549ffbc811a1b10c1af19117d04b
Instruction Fuzzy Hash: BD110CB2C016689BF7208B56CC887D67FB9EF40311F0545B6C40C16181D3B96ACACF96

Function 025253FB Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 025268AD

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1d8ff8e38f1ca72b150a6505b033f3631655489fae71bf2ab9a7ce8e8300d3cd
Instruction ID: 134696f7e01ee949b930c21142f75e74c44f56fc73cecf4513236193e4bb4f03
Opcode Fuzzy Hash: 1d8ff8e38f1ca72b150a6505b033f3631655489fae71bf2ab9a7ce8e8300d3cd
Instruction Fuzzy Hash: 9401B5F2A450159FE7288504DC55FFBB36CFB85321F0402BDEA0A962C0D6796AC8CE96

Function 00415458 Relevance: 1.6, APIs: 1, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 16e25ef2f5c207c25ebcb1c6859400c07d849e0ef597ca9e94788e442c49c3f7
Instruction ID: 1c36b401c951dc3e23cd11d60758ee6411a8f8dca43621f9a16ef411bebbc5d0
Opcode Fuzzy Hash: 16e25ef2f5c207c25ebcb1c6859400c07d849e0ef597ca9e94788e442c49c3f7
Instruction Fuzzy Hash: B1215175D046288FCB28CF18CE84AE9FB75EB88305F1481E9D00DA7254C7755BC5CE45

Function 0251EE8A Relevance: 1.6, APIs: 1, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02520631

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0e64c9a066431770c1e538538201def131590c881ba035a83644e2ce619d83c8
Instruction ID: 3d1c9dd181f6a7aab4cda5850464469abfc4c7ccde79228b245dad98c42aba51
Opcode Fuzzy Hash: 0e64c9a066431770c1e538538201def131590c881ba035a83644e2ce619d83c8
Instruction Fuzzy Hash: A601B5719083A86EEB294630DC95BE77E34F742314F0102EBE699650C1C3B91BC4CB56

Function 0251F189 Relevance: 1.6, APIs: 1, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02520631

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f26637d0e53abb5c6a72f9583c64871bb17940e0889995a4a49f46e5f35177b0
Instruction ID: c7c354c668abb36951d96967b509535f919f1fccab264f0bacca0cec22caf347
Opcode Fuzzy Hash: f26637d0e53abb5c6a72f9583c64871bb17940e0889995a4a49f46e5f35177b0
Instruction Fuzzy Hash: 0F1122709483686EEB294620DC51BF77A34F742310F0102FAE69A690C1C7B82BC4CB5A

Function 0041EA27 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(D7402EF8), ref: 0041EB1A

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 284590203c9d4f6344e038b83bb4d3846814b2dd1e6acbd3fb5fb093bbdfbc72
Instruction ID: 0ece2404e48273a56849b7ff2f4b1e463a8c4d99babb6272a85de91f86cbe634
Opcode Fuzzy Hash: 284590203c9d4f6344e038b83bb4d3846814b2dd1e6acbd3fb5fb093bbdfbc72
Instruction Fuzzy Hash: 0A1125B6E041589EF724C662DCD86EF7774FF84315F2441FBC85912281C2382EC18E06

Function 025166C5 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 72e2da79b3d842b9e8d3967fa43727c636bbf3f067c7f81f9bf641e89d1818a8
Instruction ID: 08ee7274a6a0699867ec0e6af0a3dc22344fab640db0df747afcb11473d0aaa5
Opcode Fuzzy Hash: 72e2da79b3d842b9e8d3967fa43727c636bbf3f067c7f81f9bf641e89d1818a8
Instruction Fuzzy Hash: EE01B5B2D006689BF7304656CC48BD7BEB8AB44321F0542B6D84D26180C2B92ECACE96

Function 025169D6 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 3a7fe09157d59cbe24c9704b448c8dc8aceb320caa815f45c81c60bafdeb5ce1
Instruction ID: f9c1f263f906aec51c04b116b12a9a6f0519714cda74675802a34fbbfe5e2cd5
Opcode Fuzzy Hash: 3a7fe09157d59cbe24c9704b448c8dc8aceb320caa815f45c81c60bafdeb5ce1
Instruction Fuzzy Hash: 9F01BEB2D006685BF7304655CC48BD77F7DAF44321F0542B6D40C16180D2792FC9CE96

Function 00414DA6 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 101cdfed69212d95c6728f5e9b8822c13b190e66bbecbc5e3d127a321b681bf2
Instruction ID: 67c60fe61e93a98b40a416e98f1e5909637598c9038dfc5895d301ea03c25520
Opcode Fuzzy Hash: 101cdfed69212d95c6728f5e9b8822c13b190e66bbecbc5e3d127a321b681bf2
Instruction Fuzzy Hash: 8D21A1359086598FCB18CF2CCE94AD9FB75AB48309F1482DAD00C6B254C7B95BC9CF45

Function 0041587D Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: e6c544a69d2f7ed5de0680eb67c04cae5e6c445befbcf0c8994afd5a68814ab7
Instruction ID: 102379f3035811a6756246d7f6391455c2bf76d8c1dc0ab62493bf3e046c72f9
Opcode Fuzzy Hash: e6c544a69d2f7ed5de0680eb67c04cae5e6c445befbcf0c8994afd5a68814ab7
Instruction Fuzzy Hash: 67213C35905A298FCB28DF18CE84AE9FBB5AB88309F1482DAD00D67258C3755BC9CE45

Function 00415884 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 0c74814c970419d156efc63e33d7b344ec1c4089b94414aaddd3c884600bd64f
Instruction ID: 002924edb34e52c9dab2aec6c4ffb8fac8ca7b952bfafdbc8fd8adddb1d7976c
Opcode Fuzzy Hash: 0c74814c970419d156efc63e33d7b344ec1c4089b94414aaddd3c884600bd64f
Instruction Fuzzy Hash: CC213E35905A698FCB28DF18CE84AD9FBB5AB8C309F1485DAD00DA7254C3755BC4CF45

Function 00415891 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 05f1f2fa0499858905858a0dd537e5be070f9e021ade29bd6cfe6b78e001970e
Instruction ID: 130b5d472fde69285e2727f2d63a57f746d3093453fdec85d424b2d563f4634f
Opcode Fuzzy Hash: 05f1f2fa0499858905858a0dd537e5be070f9e021ade29bd6cfe6b78e001970e
Instruction Fuzzy Hash: 97211D35D05A298FCB28DF18CE84AA9FBB5EB8830AF1482DA900D67258C7755BC5CE45

Function 0252AA24 Relevance: 1.5, APIs: 1, Instructions: 46fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,39335C83,?,00000000), ref: 0252AACA

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 2833f676f110f3bf7f383ea34c08a2f7570ad2e212116b6a2f8b14ddbc6fbdca
Instruction ID: 06e10b5336d3c7f88c8d62efc9e76e68550e7d030388f3ca78495a03ce017ee8
Opcode Fuzzy Hash: 2833f676f110f3bf7f383ea34c08a2f7570ad2e212116b6a2f8b14ddbc6fbdca
Instruction Fuzzy Hash: 7601B1B1C05528AEFB20CA05DE80BBBB774EF41311F1081FAE80D562C0E7351E98CE96

Function 025205B3 Relevance: 1.5, APIs: 1, Instructions: 46fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02520631

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a95b43a8b28202706e2d5482095ed353b03a61a8c607c4b6129fdc3137bea5d6
Instruction ID: 3e5b89ef071779b8f25bf5dcd3f2f205f6496489b6f46db4997ea8cdbaa5ba6a
Opcode Fuzzy Hash: a95b43a8b28202706e2d5482095ed353b03a61a8c607c4b6129fdc3137bea5d6
Instruction Fuzzy Hash: 3F01D8B2E453A46FFB218730DD14BE77F35AB92310F1502EAE548A61C3C2B55B85CB15

Function 025200BF Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e665449f3481df5b4cabe8df88a87caa9c2090206978756f400df04b9234ae23
Instruction ID: a9a9f0efaa51855de8fa949671bbd7fd543c28014930da0e97d691d3e57b704a
Opcode Fuzzy Hash: e665449f3481df5b4cabe8df88a87caa9c2090206978756f400df04b9234ae23
Instruction Fuzzy Hash: B801D4709463A46FEB229B30CD60BEA7F34EB82710F1501DAD584AA2D2C6705B8ACF14

Function 004154F2 Relevance: 1.5, APIs: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 12837074adf44fb41b341c8af6b05101f35c149c12e54fa078bab54908b02e58
Instruction ID: fd01c687d2eb289cdd0abbbc3f1bc05a0c3dd0f4319cae37e76a57b1434755dc
Opcode Fuzzy Hash: 12837074adf44fb41b341c8af6b05101f35c149c12e54fa078bab54908b02e58
Instruction Fuzzy Hash: 76210C759056298FCB28CF18CE94A99FBB5BB88309F1481D9D40DA7258C7756BC4CE44

Function 0041E5AC Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(D7402EF8), ref: 0041EB1A

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 29c71a6a8ce6899506b88394d8833870e625a1a75b93006b9e4d96ab183479d0
Instruction ID: d9efd0cb38c4e8693931d6ded7153d37f359ea2bba5abef3276cd9f948528213
Opcode Fuzzy Hash: 29c71a6a8ce6899506b88394d8833870e625a1a75b93006b9e4d96ab183479d0
Instruction Fuzzy Hash: 2C118BB5C015288FD728CA14CD49BEAB771EBA4305F0400EBC90E67381EA796ED1CE85

Function 02520168 Relevance: 1.5, APIs: 1, Instructions: 44fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02520631

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2c6c0187c35e8d956e9bcbb30284187eaca78b0c004bf18b294f518cf0b1f9c6
Instruction ID: e72a359907913ea0d5a1e3ea799636fad62c6269fe61dc44b8388ff33852279f
Opcode Fuzzy Hash: 2c6c0187c35e8d956e9bcbb30284187eaca78b0c004bf18b294f518cf0b1f9c6
Instruction Fuzzy Hash: FF01F2B19413A86FFB618630EC90FE73B38EB52310F0405EAE584EA2C2C2755BC48F61

Function 02517901 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: b028ff3682295579ce617f9272c86a63c133fe1d8cbe995d194579a2eebeb533
Instruction ID: 9ebae597515638c79169a2706b2f9564d669933adb39b393ac527aa1d27c8465
Opcode Fuzzy Hash: b028ff3682295579ce617f9272c86a63c133fe1d8cbe995d194579a2eebeb533
Instruction Fuzzy Hash: F601A271C05A689BE7348B55DC45AD7BBB8EB44311F0042FAD44D56240D6741FC6CE91

Function 00414DC3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 7b37c2306635ce479f0258e8ec98b0f4f5cb4abee1fb6af909992396b93dc901
Instruction ID: b884804259e124b0de48f1445b5f5848933518517e0bf29dc385ab4250d7d561
Opcode Fuzzy Hash: 7b37c2306635ce479f0258e8ec98b0f4f5cb4abee1fb6af909992396b93dc901
Instruction Fuzzy Hash: BB214F35904A298FCB28CF5CCE94A99FBB5FB8830AF1482D9D00D67254C7B56BC88E44

Function 00CA51BF Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d464a7c766b595da835da45c709fd0e4f31d3a28975c46660ec67d15306194af
Instruction ID: 34f901c244187a75d6cdc8abbba7a8b97d7944f07058eedb243f6dbe8aebaa1c
Opcode Fuzzy Hash: d464a7c766b595da835da45c709fd0e4f31d3a28975c46660ec67d15306194af
Instruction Fuzzy Hash: 8A01F9F3D0161057F7244A61EC91BFB76ACDB80311F1840B9A60E551C2E6BE5AC08A51

Function 02525104 Relevance: 1.5, APIs: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 025268AD

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 4faf9b94901eb3323e9efb52101748d508f2feaff0950fb1bc8a5752ad186c40
Instruction ID: 010911a68d006967e1f53f0cf469b9dd4f57c4a6e7a60c8b64a4621506af0f73
Opcode Fuzzy Hash: 4faf9b94901eb3323e9efb52101748d508f2feaff0950fb1bc8a5752ad186c40
Instruction Fuzzy Hash: AF01A9F2A440199BE728C504DC15FF7B3ACFB85315F0402FEEA0A951C0D7795AD88E95

Function 0041457A Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 004158CC

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: InfoPerformance
String ID:
API String ID: 3070290716-0
Opcode ID: 66bb73d4853e0cfd11bce03c0ae37fa927d1758748597fe9739d080facadaf77
Instruction ID: 15dc8cf2646a8b9a46b8774527ca9ffc6126ee3136000852301462eda88ddf43
Opcode Fuzzy Hash: 66bb73d4853e0cfd11bce03c0ae37fa927d1758748597fe9739d080facadaf77
Instruction Fuzzy Hash: 972130359045288FCB28CF18CE94A99FBB5BB88309F1481D9D00D67254C7B55BC98E44

Function 02517A46 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: ae852570922ff721b190a9f4d5fbc998a96d6e43aba75d04e3a8d6f81e76ea1e
Instruction ID: 6fec4b842c0413db76323e55188528bfa4614528c481133db1e2d463418644fc
Opcode Fuzzy Hash: ae852570922ff721b190a9f4d5fbc998a96d6e43aba75d04e3a8d6f81e76ea1e
Instruction Fuzzy Hash: 8601D1B2C056289BFB208B51DC89ADBBBB9EB84310F0442FAD40D57340E2781FC6CE52

Function 025178FC Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 1adeff401dfe2875c3e45ddba2f15ce09b0cb21beac3a508f0d0bf5acf32cd45
Instruction ID: 61afe67cb46e66773ae1de8607ac5963a30aafedc5b6ef30acefb9ccc2980135
Opcode Fuzzy Hash: 1adeff401dfe2875c3e45ddba2f15ce09b0cb21beac3a508f0d0bf5acf32cd45
Instruction Fuzzy Hash: 3F0186B1C056289BF7348B55DC499D7BFB8EB48311F0042FAD40D66240D6751FC6CE56

Function 0251FAD4 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 836f9395f442052a780f0c0ecee08fe7e5f232a074e147f1028c9cad26efc8e5
Instruction ID: 5974d58503a4b9b8dc4fca1da6a8872ba037671a30139e5c60458b9650f15330
Opcode Fuzzy Hash: 836f9395f442052a780f0c0ecee08fe7e5f232a074e147f1028c9cad26efc8e5
Instruction Fuzzy Hash: C80128709493E56EEB2197308C50BEB3F70BB42300F2105DAD185A90D3C2B557C9CB2A

Function 0251FADF Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7b05f504a742aa2f562cf1cd8b6236f6d89b506ae19ab8df8c3b68079ac7350e
Instruction ID: c1fa604187bee668f6db5b5bd649d0ea234d8c69ed1384e93b38e05aeb898c74
Opcode Fuzzy Hash: 7b05f504a742aa2f562cf1cd8b6236f6d89b506ae19ab8df8c3b68079ac7350e
Instruction Fuzzy Hash: C201C8709497F96FEB219B308C94BEA3F74BB52314F2102DAD185A90D3C2B55789CB25

Function 0251FADA Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b6cd144d091ec84b0201f2d2d1e49fe604a71f7fa981eb158348ea9a69cc5b6e
Instruction ID: 76eee603c62955e7bb9b4a6f269fac380fe46301eb48ed45423ace51391905d7
Opcode Fuzzy Hash: b6cd144d091ec84b0201f2d2d1e49fe604a71f7fa981eb158348ea9a69cc5b6e
Instruction Fuzzy Hash: 670128709493E56EEB2197308C50BEA3F70BF42300F2105CAD1C1A90D3C2B557C9CB25

Function 0041C493 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ec11059d26b7692d4fa61c9163542e45d31aee0c8853dcbcf829fb0dfedf9589
Instruction ID: aaaf57848a4f69a74df0af8c6dc8587d1bcd015f373546b64ed740064c1f1fc6
Opcode Fuzzy Hash: ec11059d26b7692d4fa61c9163542e45d31aee0c8853dcbcf829fb0dfedf9589
Instruction Fuzzy Hash: 36F062F2C94215ABE7109624DCC5BEBB774FB08754F1040B6E90DA6240D6785FC18F55

Function 0041B5A0 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5223331f0ece292e06cfe4be7d94a07a31b06af0a1a9b0af7df89630bacdfba6
Instruction ID: 54b7b4378c7319b230888ccf8d79443d55cbef66eb74d4f31220242dfd0701a1
Opcode Fuzzy Hash: 5223331f0ece292e06cfe4be7d94a07a31b06af0a1a9b0af7df89630bacdfba6
Instruction Fuzzy Hash: E0F0E9F28942149AE7109620DCC9BFB7238EB54750F2001B7D50DA6040D27C4FC18A5A

Function 025179CF Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 02517E67

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: c88e05f3810d5f0c2a7015b7038805f1f0c157094d991e73f38c3bd76390b611
Instruction ID: ed5be56660d0e7878468ef2a294ae9bbfd4cb28d63d9270632e3cec5f54903a4
Opcode Fuzzy Hash: c88e05f3810d5f0c2a7015b7038805f1f0c157094d991e73f38c3bd76390b611
Instruction Fuzzy Hash: BEF06DB1C0562D9BEB309B55DC85ADABBB8EB08310F0042FAD80D66240D6746FC5CF96

Function 025200D8 Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02520631

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: bf75bbdce0d22473bf47551c1c650ba3579d1a90148a2f1473785b6d3a5ef229
Instruction ID: 3b61e68698075b88b7d0c68811307dfa40a1159bbfe178ecf2264a33376503cc
Opcode Fuzzy Hash: bf75bbdce0d22473bf47551c1c650ba3579d1a90148a2f1473785b6d3a5ef229
Instruction Fuzzy Hash: F5F09C709453A45FEB2587208D61BE67B34AB41710F1505DAD545BA1C2C2711BC4CF15

Function 0041EA8B Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 0ecfbaec0acbfba2d74faba536cab58ca65d7a9c4cf515ee0c2fdc669570c261
Instruction ID: 4102c378c0a365c891508939056204c61bb57569964f9346421ce577959659dd
Opcode Fuzzy Hash: 0ecfbaec0acbfba2d74faba536cab58ca65d7a9c4cf515ee0c2fdc669570c261
Instruction Fuzzy Hash: C8F0C2B5C8429A9EF7218B55DC897EA7734FF40314F2401FAD84916241D7392EDACE06

Function 0041E66A Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(D7402EF8), ref: 0041EB1A

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: adb5471afe6217382fcff47eb0c2b3fe9c6fa2be0dc9d63377088033dd98cf72
Instruction ID: c333044c77c1e59e6659cd41271a66b3d683ec3f37ea236ee598fad8044caa1f
Opcode Fuzzy Hash: adb5471afe6217382fcff47eb0c2b3fe9c6fa2be0dc9d63377088033dd98cf72
Instruction Fuzzy Hash: F9F04976E052248FE768CA14DC49BEB7772EBC4311F1081BAD80E6B790CA392EC1CE54

Function 0041B5AD Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041C902

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8a03b55b467d50035039bbaa1c5a11db9a6f4f2276ec400f97c1679b3332c045
Instruction ID: 258d78126464b27e252ce15e4201766004c32784577cbc51d1d841d734fee670
Opcode Fuzzy Hash: 8a03b55b467d50035039bbaa1c5a11db9a6f4f2276ec400f97c1679b3332c045
Instruction Fuzzy Hash: 74F0A7F2D942149AF7109624DCC9BFB7378FB08750F1000B6E90DA6140D27D4FC14A99

Function 02520104 Relevance: 1.5, APIs: 1, Instructions: 31fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02520631

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 00beb67a97108ea359878560e3730f28e2be047d98630dba58de2503917f3169
Instruction ID: f288c9647e16b4d31b921e7381835500a1b3bbdc57b80888e9e0c55226a2be96
Opcode Fuzzy Hash: 00beb67a97108ea359878560e3730f28e2be047d98630dba58de2503917f3169
Instruction Fuzzy Hash: 3DF096709463A85FEB2687208D60BEA7B34AB82710F0101DAE544BA1C2C2B01BC4CF14

Function 0251FAF2 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02520631

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b806c9c0cbc18e3930c52b3aa662b7dd8fd8a640d1d2b56ed38f339c56b9e66f
Instruction ID: 5e152643e3b168a3826383504e9efa158ced32b6183004278ba7b9f93fc309ba
Opcode Fuzzy Hash: b806c9c0cbc18e3930c52b3aa662b7dd8fd8a640d1d2b56ed38f339c56b9e66f
Instruction Fuzzy Hash: 1BF0A7709493A86EEB6157309C15BE73F34AB42710F1505D6E584B91C2C2B157C8DB65

Function 0041E5B9 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(D7402EF8), ref: 0041EB1A

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 88e25b38c5ccbe5d4442c3b99938611a5e3a75af37fe3110680eb824fbe89342
Instruction ID: 25491efac79fd2eb281eba528802fca2d0e96950e447628cf9dd38ee36b21a23
Opcode Fuzzy Hash: 88e25b38c5ccbe5d4442c3b99938611a5e3a75af37fe3110680eb824fbe89342
Instruction Fuzzy Hash: 6DF082B1C115388BE728CA14DD5DBEAB770EB94302F0401FAD94E22780DBB92EC18E85

Function 0041EAA1 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(D7402EF8), ref: 0041EB1A

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: a6d9dfd96aef1864b4077983a3253ad495e879bb8af6e179c4899c44d1ba5181
Instruction ID: 9e7a694e95cb7da723a5a1da34a3a83035f5137b9c701cac9cbe5ad93f0f23d3
Opcode Fuzzy Hash: a6d9dfd96aef1864b4077983a3253ad495e879bb8af6e179c4899c44d1ba5181
Instruction Fuzzy Hash: 30F08CB9D44259DEEB208A11DCCC7EA7334FB84311F2401B6D81A26280C6382EC99E0A

Function 0252A6A6 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,39335C83,?,00000000), ref: 0252AACA

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 86a55c5524a0fbf7a74c6e597a3e7af88a011291529ffd19e39e88275a4973b1
Instruction ID: 5b094a866de3da6a476e5f1034e65f2f7a35f0be57608144379949a78a4095df
Opcode Fuzzy Hash: 86a55c5524a0fbf7a74c6e597a3e7af88a011291529ffd19e39e88275a4973b1
Instruction Fuzzy Hash: 32E065B1D456289FDB24CA00CE80BB9F374FB45201F4045D9A80D63380E7326E54CF41

Function 0041D79A Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(D7402EF8), ref: 0041EB1A

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5a2d50521878c42abd5cc1616a2956f3f192a89a4bb5d7675c3ca796017e800b
Instruction ID: 59f65fcff128a39ba3d1705e6448891a5a64666edec308981d50deb0a457bd76
Opcode Fuzzy Hash: 5a2d50521878c42abd5cc1616a2956f3f192a89a4bb5d7675c3ca796017e800b
Instruction Fuzzy Hash: ADE086E2C891585FE3518515EC0CBEF3919EBD0335F14C176A80D10AD5F73C56D694A6

Function 0041EAC7 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(D7402EF8), ref: 0041EB1A

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 4b484ffa76752736d07f725a78da4f3f7c162ab2d24ef284ea40f4e7fef7f12a
Instruction ID: 53eeac8963da1a15ae9944b41a9808fbc2383cd4a62e39abba7d4ab5ff02253c
Opcode Fuzzy Hash: 4b484ffa76752736d07f725a78da4f3f7c162ab2d24ef284ea40f4e7fef7f12a
Instruction Fuzzy Hash: D5E04F759452A88EDB21CB55CC985DFB730FB84340F2146F6D84A56691C6342EC18E45

Function 02517F99 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,02517A00,02517E9C,?,?,?,02517A00,?,?,?), ref: 02517FB2

Memory Dump Source

Source File: 00000000.00000002.1731067662.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PDFonlineseguro.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 01ed0c64d1628c405980cc92b5268ba959d8bec227148320baeb35d6de935af7
Instruction ID: 71d239fe362fe226fa0b84b17f422537d7829522c9228ef2fcaf2cfc4c419245
Opcode Fuzzy Hash: 01ed0c64d1628c405980cc92b5268ba959d8bec227148320baeb35d6de935af7
Instruction Fuzzy Hash: A6E04FB0C006584BEB28CB80CC456F9B735EB54310F0441DAE14952641D7755BC5CE51

Function 0041E72D Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(D7402EF8), ref: 0041EB1A

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: c4282b075559ff3cdf7f527907e5e7c998f782722fd43f9a1b5a0538212b6de3
Instruction ID: 7cddf6eaf8b04ebaf689cb0426bb553fb9c1e87ed5fc0103890c35777db2ead1
Opcode Fuzzy Hash: c4282b075559ff3cdf7f527907e5e7c998f782722fd43f9a1b5a0538212b6de3
Instruction Fuzzy Hash: 41D01275804165CEE761DE55DD8C5D9B770F784311F2441E7DD0E19380D6342AC1DD56

Function 0041E734 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(D7402EF8), ref: 0041EB1A

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: c64960071c33180f302231900c8f174044acbe3c8c120895754ec1c14f2d3670
Instruction ID: ef388ec0586e326c712600a13609f1e5ddbd26b408be36d6dc4a1f2d2c6df4f4
Opcode Fuzzy Hash: c64960071c33180f302231900c8f174044acbe3c8c120895754ec1c14f2d3670
Instruction Fuzzy Hash: 87D01734804668CAD721DE91CC8C6D8B730FB84301F2006E6980E6A380D6342AC1DE05

Function 0041D7B1 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(D7402EF8), ref: 0041EB1A

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: ebcd246ad940a0f110aa552ceddcfc972d94f8e116a4a041a75805a4dafe9eed
Instruction ID: fea8fa85ad931074a08a5c5237b54e51782fd182f25f3284dbe9bcace016991f
Opcode Fuzzy Hash: ebcd246ad940a0f110aa552ceddcfc972d94f8e116a4a041a75805a4dafe9eed
Instruction Fuzzy Hash: CFD097E29880081FF3408610DC08BFE3629E7C0316F54C0B4904C00D88EB3C5AC35402

Function 0041EAE0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(D7402EF8), ref: 0041EB1A

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 49c345a571e3be6f7da75dc14c5c971a0d93ddaa0bc72571f9b98773a8c2832f
Instruction ID: fa1699ddebaefca88b04a53868e20f570e70ea1e2e9c46d79a4dfe0b0b0f78b8
Opcode Fuzzy Hash: 49c345a571e3be6f7da75dc14c5c971a0d93ddaa0bc72571f9b98773a8c2832f
Instruction Fuzzy Hash: 92D06775D455688FC756CA81CC496D8B770BB99302F2005D6C44A66751D6302AC19E45

Function 0041A4E3 Relevance: 1.4, APIs: 1, Instructions: 161memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0041A765

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 06a61e69d04b37221295af2c4ad9485268b36de450e7d0959f44e347b7a98932
Instruction ID: 3d81ff04424be14c48b57625c950b00db357e467a1b15672939b08afbc1fec3e
Opcode Fuzzy Hash: 06a61e69d04b37221295af2c4ad9485268b36de450e7d0959f44e347b7a98932
Instruction Fuzzy Hash: D85103B2E051559BE7108A14CC94AFF777AEB82311F2880BBDC4D9A640D63C9ED28A42

Function 00CA6503 Relevance: 1.4, APIs: 1, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00CA68B4

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 49618e66abfa8f2086e12feedc8a496c5dd9ed24b70c587651337dd0609aacfd
Instruction ID: 4fae6afbea0ba92fb9b6d34095aa4c523d55b8efd1b084475d40266f335d0907
Opcode Fuzzy Hash: 49618e66abfa8f2086e12feedc8a496c5dd9ed24b70c587651337dd0609aacfd
Instruction Fuzzy Hash: 05518AB1E4412A9FEB24CB05DC85BEABBB5EB86304F0841E9D84956282D7789EC5CF41

Function 00CA5C4E Relevance: 1.4, APIs: 1, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00CA68B4

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d50615baf585f498bbe5242710424a956d7a71443f3cd7fbd97bcaf625262d9d
Instruction ID: 9dc054114b58b5291d2fc2548ecafaaa5091fd08bb8318aee3d730af66c892a0
Opcode Fuzzy Hash: d50615baf585f498bbe5242710424a956d7a71443f3cd7fbd97bcaf625262d9d
Instruction Fuzzy Hash: 2141C4B2E055299FF7248A05DC59BEA7679EB82318F0840FED94D5A280D7B94FC48F42

Function 0041A619 Relevance: 1.4, APIs: 1, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0041A765

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ef3baeaef6a78363d4142595e8e8ef8d99ea22057487e5c1f2f0a03e907f4cbd
Instruction ID: c3ff37bf79cf76dfa6fca5c49f726833a09446a910aabf9f199289c16f3eb03c
Opcode Fuzzy Hash: ef3baeaef6a78363d4142595e8e8ef8d99ea22057487e5c1f2f0a03e907f4cbd
Instruction Fuzzy Hash: 443135F2E015945BF7108514DC88BFF7B39EB82325F2840BBE84D9A280D23C5AC28957

Function 00419407 Relevance: 1.4, APIs: 1, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0041A765

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b7d2213f06332f7a0a61e03ef2949af1ed4cd01500d0c6b28b4b0d5c143cfd36
Instruction ID: 210502c76941dbec5fb3054a4451f716325695ce09277e0969f745675bfb7826
Opcode Fuzzy Hash: b7d2213f06332f7a0a61e03ef2949af1ed4cd01500d0c6b28b4b0d5c143cfd36
Instruction Fuzzy Hash: 043158B2C041949FF3209A20DD4CBEB3A68EF81314F2844F7E849962C1D2BD4ED6CA57

Function 0041A41D Relevance: 1.3, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0041A765

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 29080d96b95a6c36101a227888c6101e968bc040e2918fe26203054658d55746
Instruction ID: d570770a524d128368dbe623f5d9a5287152d361d6ed24f1753d7f1ecad7c6b4
Opcode Fuzzy Hash: 29080d96b95a6c36101a227888c6101e968bc040e2918fe26203054658d55746
Instruction Fuzzy Hash: A831AFB2D041559FE7208A14DD89BFBB778EB84310F2440B7EC0DA7680D6789EC68A56

Function 00CA58D2 Relevance: 1.3, APIs: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00CA68B4

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6427ad70b8a6e71b14d44b891e10573e21b0c0d1206dcf283a2e2005312295e6
Instruction ID: 77b02bb29e4f434c5ef26776da3ccbab7c61a46912c88f5f88dffd581a5c6c80
Opcode Fuzzy Hash: 6427ad70b8a6e71b14d44b891e10573e21b0c0d1206dcf283a2e2005312295e6
Instruction Fuzzy Hash: BC31D8B1E051258FFB248A05CC497EA7679AF92308F1840EED54D5A280E7B85FC5CF02

Function 00CA680B Relevance: 1.3, APIs: 1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c5e23b887a73ba4463e5d6b2aa0441aa84304a7c0074681eaa96e7a314029b58
Instruction ID: 2af9ac71371668b0e542ba8f4a44a92f861c30379d6e03ef1e95cb0ece49d7eb
Opcode Fuzzy Hash: c5e23b887a73ba4463e5d6b2aa0441aa84304a7c0074681eaa96e7a314029b58
Instruction Fuzzy Hash: F931C4B0A092699FEB249F15C8887E977B9EF43308F1841DDD5895A181D7785EC5CF02

Function 00CA54DB Relevance: 1.3, APIs: 1, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00CA68B4

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fb6d81eca2fa5af27d30ee4700f41b4d83ff7fd485674375b8065b78594a9b4c
Instruction ID: df789d64886b79e6b4dbe41248fa50fd3c3b0568e0ee126886ac41f76d6ef128
Opcode Fuzzy Hash: fb6d81eca2fa5af27d30ee4700f41b4d83ff7fd485674375b8065b78594a9b4c
Instruction Fuzzy Hash: 6F31B271E091198FEB24DE15D849BEAB7B5FF82308F0441EDD8895A281D7B85EC4CF82

Function 0041A6C9 Relevance: 1.3, APIs: 1, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0041A765

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 68a3ed7be8051641e8b7a9f097d91a1bad0bdd7a8cda88b50e1ff12083ab4bcc
Instruction ID: d13388eb6e63b2090b18a6cc7ee9946a667886765f153788b096cdbc87978041
Opcode Fuzzy Hash: 68a3ed7be8051641e8b7a9f097d91a1bad0bdd7a8cda88b50e1ff12083ab4bcc
Instruction Fuzzy Hash: 54218CF3E01554AAF3204510DC49FEB6678EBD0324F2A00B7E90D96680E2BD9FD68967

Function 00CA5D08 Relevance: 1.3, APIs: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00CA68B4

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ab792f98daa9152bdeb5b580cb51dd8d1f036de8d0f5729ff18366067c5d3c7e
Instruction ID: 0aee322a38d84ed5aa2ad193daa8fe8228587f38aa3f99c86dfcd6e134d40f21
Opcode Fuzzy Hash: ab792f98daa9152bdeb5b580cb51dd8d1f036de8d0f5729ff18366067c5d3c7e
Instruction Fuzzy Hash: CF318FB0E441298FFB249B05CC59BE972B9AF52308F0881EDD94956280E7B95FC4CF42

Function 00CA6830 Relevance: 1.3, APIs: 1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0ec6fd05c990fb177cd30a2e324e6dc882e21cd6d2467c619534d91d1e2478f6
Instruction ID: f8022854e1181367dfc866856c8afc4d3a74bd82b4993082c03990dac0f9abc3
Opcode Fuzzy Hash: 0ec6fd05c990fb177cd30a2e324e6dc882e21cd6d2467c619534d91d1e2478f6
Instruction Fuzzy Hash: 36319E70A092699FEB249E11D8887EAB7B9EB43318F1801DDD58A1A181D7B85FC4CF42

Function 00CA54BF Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0ddb9c4d3f6461fa0a06a459722400da86cca77ecdf52b02c10173b0aaf6240d
Instruction ID: 54cb9b17c447122e9994765564348c9823bd53037c8b1a29498c7deeea3fdbbf
Opcode Fuzzy Hash: 0ddb9c4d3f6461fa0a06a459722400da86cca77ecdf52b02c10173b0aaf6240d
Instruction Fuzzy Hash: A021C470E092699FFB219E15C84C7DABA75AF93308F0841EDD5891A182D7B84EC5CF42

Function 00CA640B Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00CA68B4

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2c45ef62b780a3a200a79ecc01241998db3e781816f6f769dc0521fb94dd9b18
Instruction ID: bb58247fb36cb569d932f33d3b89b72b8ad3e438d6d02bf0798f6e0f9d9d6994
Opcode Fuzzy Hash: 2c45ef62b780a3a200a79ecc01241998db3e781816f6f769dc0521fb94dd9b18
Instruction Fuzzy Hash: 1D218370A451298FFB34DE05D848BEAB779EB43318F1440D9D5895A181D7B85EC5CF41

Function 00CA6862 Relevance: 1.3, APIs: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00CA68B4

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c7f464a65d02188d2ee8460061d8ded33d67b0e9a6fad5a89614a3ad81e79987
Instruction ID: 83a3aa2456f5bc9828c4e5084d57d9d55e1340ee4c6bc0ff0ccb46856c124b2a
Opcode Fuzzy Hash: c7f464a65d02188d2ee8460061d8ded33d67b0e9a6fad5a89614a3ad81e79987
Instruction Fuzzy Hash: 1A21AF70A092698FEB25CF11C8497E9B7B5EF47308F0840CDD5896A181C7B45EC0CF42

Function 00CBC94E Relevance: 1.3, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00CBD49F

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 03f27b90ac4b99cb948c9259d21fe80c0cd3d34fa65889c731042f178f676ff2
Instruction ID: 195fbfd71b325efe8d4620fbc9ec1aceb0a07e05680dc82cccfb567720530f18
Opcode Fuzzy Hash: 03f27b90ac4b99cb948c9259d21fe80c0cd3d34fa65889c731042f178f676ff2
Instruction Fuzzy Hash: C911B8E3E4D3049AFB280A24EC697F63A28D301311F1442BFDA0F144C2E5BE2BC08993

Function 00CBC0E5 Relevance: 1.3, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00CBD49F

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4df710cc511ab3e1a476f22e4b414b27eb6dcc7059dca2a96385b01a6f229788
Instruction ID: 1f2b56cfdb5a118ca20511c3fda4e36d08c1536055aa13ce12d23c3421360777
Opcode Fuzzy Hash: 4df710cc511ab3e1a476f22e4b414b27eb6dcc7059dca2a96385b01a6f229788
Instruction Fuzzy Hash: 6D0168E2E4D3049AFB280611EC597B67A68D741711F1441BEDA0F141C1E5BE2BC08993

Function 00CA5D5B Relevance: 1.3, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00CA68B4

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 33211f2559424aeb37ad58b17db63fa7e396f1b4362fb22b52064d52a0c2edfe
Instruction ID: d5cef585a79d78fa6362cdb5a55828a8bfc515c815cb8996e5f2d01e8056fe98
Opcode Fuzzy Hash: 33211f2559424aeb37ad58b17db63fa7e396f1b4362fb22b52064d52a0c2edfe
Instruction Fuzzy Hash: 6F21BE70A492298FEB35DF02C85CBE9B775AF53308F0840D9D5896A181D7B88EC5CF02

Function 00CA6875 Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00CA68B4

Memory Dump Source

Source File: 00000000.00000002.1730830306.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 08a928a999e95b40d124416526e2213aac4a38d20a6c1124ea9b7a7c42421095
Instruction ID: 2c667744d09ff988786bee94661aa6b011afb8da57c3bcc3d70dfd072fd946ba
Opcode Fuzzy Hash: 08a928a999e95b40d124416526e2213aac4a38d20a6c1124ea9b7a7c42421095
Instruction Fuzzy Hash: 16215C70A452298FEB34DE15D848BE9B775AF47309F1840DDD4896A281DBB89EC4CF02

Function 0041A2FD Relevance: 1.3, APIs: 1, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0041A765

Memory Dump Source

Source File: 00000000.00000002.1730012869.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1729990886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730059201.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.000000000044E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730093622.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.00000000004BA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730154480.000000000055E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFonlineseguro.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f299c123f6a1141e2bfcddf222696ac1948d9bb74d6550779eb58fda38854e01
Instruction ID: d742e8a0be69d366727acb49402eb69a7df7b83cbe85b0c4f3b44d59bb3f023f
Opcode Fuzzy Hash: f299c123f6a1141e2bfcddf222696ac1948d9bb74d6550779eb58fda38854e01
Instruction Fuzzy Hash: F0018FF2D45259AFF3118510DC89BFB7638EB84324F2500B7E90D96380D6BD9FC68A56

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PDFonlineseguro.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Documents\NordVPNnetworkTAP\Lang\RemotePCPrinter.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
PDFonlineseguro.exe

Function 00CA6465 Relevance: 31.9, APIs: 1, Strings: 20, Instructions: 367
memoryCOMMON

Function 00CB8DD9 Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 425
memoryCOMMON

Function 0041290D Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 490
libraryCOMMON

Function 0251FE3E Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280
COMMON

Function 0251FBE5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 234
COMMON

Function 00412563 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 645
COMMON

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre