Edit tour

Windows Analysis Report
Orden de compra.000854657689654253545676785436.exe

Overview

General Information

Sample name:	Orden de compra.000854657689654253545676785436.exe
Analysis ID:	1501079
MD5:	cb29bcf1cb3fc646be98d82c5d9f9eb9
SHA1:	3c7745a7f680529e340eaf621b44d00a0fb144f2
SHA256:	2423cbba54e73aee0fcc5914484f01f2f11684cdde5a3a07681d0d3fed59aa36
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Orden de compra.000854657689654253545676785436.exe (PID: 2668 cmdline: "C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe" MD5: CB29BCF1CB3FC646BE98D82C5D9F9EB9)

RegSvcs.exe (PID: 560 cmdline: "C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.stingatoareincendii.ro", "Username": "mojooooofileeeee@stingatoareincendii.ro", "Password": "3.*RYhlG)lkA"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2777145193.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2777145193.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2778089830.0000000002CD5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34441:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x344b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3453d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34639:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x346ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34741:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x315d3:$s2: GetPrivateProfileString 0x30ca1:$s3: get_OSFullName 0x322d3:$s5: remove_Key 0x324aa:$s5: remove_Key 0x333db:$s6: FtpWebRequest 0x34423:$s7: logins 0x34995:$s7: logins 0x376a6:$s7: logins 0x37758:$s7: logins 0x390ad:$s7: logins 0x382f2:$s9: 1.85 (Hash, version 2, native byte-order)
Process Memory Space: Orden de compra.000854657689654253545676785436.exe PID: 2668	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Orden de compra.000854657689654253545676785436.exe PID: 2668	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Orden de compra.000854657689654253545676785436.exe PID: 2668	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 560	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 560	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34441:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x344b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3453d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34639:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x346ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34741:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x315d3:$s2: GetPrivateProfileString 0x30ca1:$s3: get_OSFullName 0x322d3:$s5: remove_Key 0x324aa:$s5: remove_Key 0x333db:$s6: FtpWebRequest 0x34423:$s7: logins 0x34995:$s7: logins 0x376a6:$s7: logins 0x37758:$s7: logins 0x390ad:$s7: logins 0x382f2:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32641:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x326b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3273d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x327cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32839:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x328ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32941:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x329d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f7d3:$s2: GetPrivateProfileString 0x2eea1:$s3: get_OSFullName 0x304d3:$s5: remove_Key 0x306aa:$s5: remove_Key 0x315db:$s6: FtpWebRequest 0x32623:$s7: logins 0x32b95:$s7: logins 0x358a6:$s7: logins 0x35958:$s7: logins 0x372ad:$s7: logins 0x364f2:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34441:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x344b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3453d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34639:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x346ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34741:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x315d3:$s2: GetPrivateProfileString 0x30ca1:$s3: get_OSFullName 0x322d3:$s5: remove_Key 0x324aa:$s5: remove_Key 0x333db:$s6: FtpWebRequest 0x34423:$s7: logins 0x34995:$s7: logins 0x376a6:$s7: logins 0x37758:$s7: logins 0x390ad:$s7: logins 0x382f2:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 9 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.stingatoareincendii.ro", "Username": "mojooooofileeeee@stingatoareincendii.ro", "Password": "3.*RYhlG)lkA"}

Multi AV Scanner detection for submitted file

Source: Orden de compra.000854657689654253545676785436.exe	ReversingLabs: Detection: 65%
Source: Orden de compra.000854657689654253545676785436.exe	Virustotal: Detection: 61%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Orden de compra.000854657689654253545676785436.exe

Joe Sandbox ML: detected

Source: Orden de compra.000854657689654253545676785436.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: Orden de compra.000854657689654253545676785436.exe, 00000000.00000003.1521958319.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Orden de compra.000854657689654253545676785436.exe, 00000000.00000003.1523125622.0000000003D90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Orden de compra.000854657689654253545676785436.exe, 00000000.00000003.1521958319.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Orden de compra.000854657689654253545676785436.exe, 00000000.00000003.1523125622.0000000003D90000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_0103DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0103DBBE
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_0100C2A2 FindFirstFileExW,	0_2_0100C2A2
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_0104698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0104698F
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_010468EE FindFirstFileW,FindClose,	0_2_010468EE
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_0103D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0103D076
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_0103D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0103D3A9
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_0104979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0104979D
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_01049642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_01049642
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_01049B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_01049B2B
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_01045C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_01045C97

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

ASN Name: TUT-ASUS TUT-ASUS

Source: unknown

DNS query: name: ip-api.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_0104CF1A InternetQueryDataAvailable,InternetReadFile,GetLastError,SetEvent,SetEvent,

0_2_0104CF1A

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: RegSvcs.exe, 00000002.00000002.2778089830.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778089830.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778089830.0000000002D68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: Orden de compra.000854657689654253545676785436.exe, 00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778089830.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778089830.0000000002D68000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2777145193.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000002.00000002.2778089830.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778089830.0000000002D68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Orden de compra.000854657689654253545676785436.exe, 00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2777145193.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack, n00.cs

.Net Code: EldX

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_0104EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0104EAFF

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_0104ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0104ED6A

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

0_2_0104EAFF

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_0103AB9C GetKeyState,GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0103AB9C

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_01069576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_01069576

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: Orden de compra.000854657689654253545676785436.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Orden de compra.000854657689654253545676785436.exe, 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e8b99a07-1
Source: Orden de compra.000854657689654253545676785436.exe, 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1bbcfa95-4
Source: Orden de compra.000854657689654253545676785436.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4dcd2b01-7
Source: Orden de compra.000854657689654253545676785436.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_14082f5a-b

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_0103D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0103D5EB

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_01031201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_01031201

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_0103E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0103E8F6

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_00FD8060	0_2_00FD8060
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_01042046	0_2_01042046
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_01038298	0_2_01038298
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_0100E4FF	0_2_0100E4FF
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_0100676B	0_2_0100676B
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_01064873	0_2_01064873
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_00FDCAF0	0_2_00FDCAF0
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_00FFCAA0	0_2_00FFCAA0
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_00FECC39	0_2_00FECC39
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_01006DD9	0_2_01006DD9
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_00FD91C0	0_2_00FD91C0
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_00FEB119	0_2_00FEB119
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_00FF1394	0_2_00FF1394
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_00FF1706	0_2_00FF1706
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_00FF781B	0_2_00FF781B
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_00FF19B0	0_2_00FF19B0
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_00FE997D	0_2_00FE997D
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_00FD7920	0_2_00FD7920
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_00FF7A4A	0_2_00FF7A4A
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_00FF7CA7	0_2_00FF7CA7
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_00FF1C77	0_2_00FF1C77
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_0105BE44	0_2_0105BE44
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_00FF1F32	0_2_00FF1F32
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_01009EEE	0_2_01009EEE
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_01303610	0_2_01303610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00F7C5B4	2_2_00F7C5B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00F74A80	2_2_00F74A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00F7DA16	2_2_00F7DA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00F73E68	2_2_00F73E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00F741B0	2_2_00F741B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06522438	2_2_06522438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06521288	2_2_06521288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06523BD8	2_2_06523BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_065234F0	2_2_065234F0

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: String function: 00FF0A30 appears 46 times
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: String function: 00FD9CB3 appears 31 times
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: String function: 00FEF9F2 appears 40 times

Source: Orden de compra.000854657689654253545676785436.exe, 00000000.00000003.1522997413.0000000003D13000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Orden de compra.000854657689654253545676785436.exe
Source: Orden de compra.000854657689654253545676785436.exe, 00000000.00000003.1522087446.0000000003EBD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Orden de compra.000854657689654253545676785436.exe
Source: Orden de compra.000854657689654253545676785436.exe, 00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamee8300309-2878-4eb6-9fa4-d88c99cb9494.exe4 vs Orden de compra.000854657689654253545676785436.exe

Source: Orden de compra.000854657689654253545676785436.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack, NpXw3kw.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack, NpXw3kw.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack, fpnV0Qjz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack, fpnV0Qjz.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_010437B5 GetLastError,FormatMessageW,

0_2_010437B5

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_010310BF AdjustTokenPrivileges,CloseHandle,		0_2_010310BF
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_010316C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_010316C3

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_010451CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_010451CD

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_0105A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0105A67C

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_0104648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0104648E

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_00FD42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00FD42A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

File created: C:\Users\user\AppData\Local\Temp\autE17D.tmp

Jump to behavior

Source: Orden de compra.000854657689654253545676785436.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.2778089830.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778089830.0000000002DA0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Orden de compra.000854657689654253545676785436.exe	ReversingLabs: Detection: 65%
Source: Orden de compra.000854657689654253545676785436.exe	Virustotal: Detection: 61%

Source: unknown	Process created: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe "C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe"
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe"
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Orden de compra.000854657689654253545676785436.exe

Static file information: File size 1163776 > 1048576

Source: Orden de compra.000854657689654253545676785436.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Orden de compra.000854657689654253545676785436.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Orden de compra.000854657689654253545676785436.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Orden de compra.000854657689654253545676785436.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Orden de compra.000854657689654253545676785436.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Orden de compra.000854657689654253545676785436.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Orden de compra.000854657689654253545676785436.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: Orden de compra.000854657689654253545676785436.exe, 00000000.00000003.1521958319.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Orden de compra.000854657689654253545676785436.exe, 00000000.00000003.1523125622.0000000003D90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Orden de compra.000854657689654253545676785436.exe, 00000000.00000003.1521958319.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Orden de compra.000854657689654253545676785436.exe, 00000000.00000003.1523125622.0000000003D90000.00000004.00001000.00020000.00000000.sdmp

Source: Orden de compra.000854657689654253545676785436.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Orden de compra.000854657689654253545676785436.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Orden de compra.000854657689654253545676785436.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Orden de compra.000854657689654253545676785436.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Orden de compra.000854657689654253545676785436.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_00FD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FD42DE

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_00FF0A76 push ecx; ret		0_2_00FF0A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0652CB60 push es; ret		2_2_0652CB70

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_00FEF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00FEF98E
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_01061C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_01061C41

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Orden de compra.000854657689654253545676785436.exe PID: 2668, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96579

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

API/Special instruction interceptor: Address: 1303234

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Orden de compra.000854657689654253545676785436.exe, 00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778089830.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2777145193.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778089830.0000000002CD5000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

API coverage: 3.7 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_0103DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0103DBBE
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_0100C2A2 FindFirstFileExW,	0_2_0100C2A2
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_0104698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0104698F
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_010468EE FindFirstFileW,FindClose,	0_2_010468EE
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_0103D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0103D076
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_0103D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0103D3A9
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_0104979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0104979D
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_01049642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_01049642
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_01049B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_01049B2B
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_01045C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_01045C97

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_00FD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FD42DE

Source: RegSvcs.exe, 00000002.00000002.2778089830.0000000002CD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegSvcs.exe, 00000002.00000002.2778089830.0000000002CD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000002.00000002.2777145193.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: RegSvcs.exe, 00000002.00000002.2778874540.0000000005F18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_00F77068 CheckRemoteDebuggerPresent,

2_2_00F77068

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_0104EAA2 BlockInput,

0_2_0104EAA2

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_01002622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_01002622

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_00FD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FD42DE

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_00FF4CE8 mov eax, dword ptr fs:[00000030h]	0_2_00FF4CE8
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_01303500 mov eax, dword ptr fs:[00000030h]	0_2_01303500
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_013034A0 mov eax, dword ptr fs:[00000030h]	0_2_013034A0
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_01301E70 mov eax, dword ptr fs:[00000030h]	0_2_01301E70

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_01030B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_01030B62

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_01002622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_01002622
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_00FF083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FF083F
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_00FF09D5 SetUnhandledExceptionFilter,	0_2_00FF09D5
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_00FF0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00FF0C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A70008

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

0_2_01031201

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_01012BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_01012BA5

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_0103B226 SendInput,keybd_event,

0_2_0103B226

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_0103E355 mouse_event,

0_2_0103E355

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

0_2_01030B62

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_01031663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_01031663

Source: Orden de compra.000854657689654253545676785436.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Orden de compra.000854657689654253545676785436.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_00FF0698 cpuid

0_2_00FF0698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_01048195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_01048195

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_0102D27A GetUserNameW,

0_2_0102D27A

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_0100B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0100B952

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe

Code function: 0_2_00FD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FD42DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2777145193.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Orden de compra.000854657689654253545676785436.exe PID: 2668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 560, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Orden de compra.000854657689654253545676785436.exe	Binary or memory string: WIN_81
Source: Orden de compra.000854657689654253545676785436.exe	Binary or memory string: WIN_XP
Source: Orden de compra.000854657689654253545676785436.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Orden de compra.000854657689654253545676785436.exe	Binary or memory string: WIN_XPe
Source: Orden de compra.000854657689654253545676785436.exe	Binary or memory string: WIN_VISTA
Source: Orden de compra.000854657689654253545676785436.exe	Binary or memory string: WIN_7
Source: Orden de compra.000854657689654253545676785436.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2777145193.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2778089830.0000000002CD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Orden de compra.000854657689654253545676785436.exe PID: 2668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 560, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra.000854657689654253545676785436.exe.1310000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2777145193.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Orden de compra.000854657689654253545676785436.exe PID: 2668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 560, type: MEMORYSTR

Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_01051204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_01051204
Source: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe	Code function: 0_2_01051806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_01051806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	138 System Information Discovery	Distributed Component Object Model	121 Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	741 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	32 Virtualization/Sandbox Evasion	Cached Domain Credentials	32 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Orden de compra.000854657689654253545676785436.exe	66%	ReversingLabs	Win32.Worm.DorkBot
Orden de compra.000854657689654253545676785436.exe	61%	Virustotal		Browse
Orden de compra.000854657689654253545676785436.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
ip-api.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://account.dyn.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://account.dyn.com/	Orden de compra.000854657689654253545676785436.exe, 00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2777145193.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.2778089830.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778089830.0000000002D68000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	RegSvcs.exe, 00000002.00000002.2778089830.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778089830.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778089830.0000000002D68000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501079
Start date and time:	2024-08-29 12:01:23 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Orden de compra.000854657689654253545676785436.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 47 Number of non-executed functions: 298
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	00_datos de la transacci#U00f3n rechazada y n#U00famero de cuenta incorrecto.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	1.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	XClient.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.W64.ABRisk.KSAB-7665.26815.23633.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	IrisLily673Xander.msc.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=11827
	spglr64.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	ip-api.com/json/?fields=225545
	obvious.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	ip-api.com/json/?fields=225545
	#U00d6deme Talebi_27.08.2024.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	memreduct.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	00_datos de la transacci#U00f3n rechazada y n#U00famero de cuenta incorrecto.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	1.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	XClient.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	SecuriteInfo.com.W64.ABRisk.KSAB-7665.26815.23633.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	IrisLily673Xander.msc.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	spglr64.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	208.95.112.1
	obvious.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	#U00d6deme Talebi_27.08.2024.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Doc-Secure6025.pdf	Get hash	malicious	Unknown	Browse	51.77.64.70
	memreduct.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	00_datos de la transacci#U00f3n rechazada y n#U00famero de cuenta incorrecto.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	1.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	XClient.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	SecuriteInfo.com.W64.ABRisk.KSAB-7665.26815.23633.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	IrisLily673Xander.msc.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	spglr64.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	208.95.112.1
	obvious.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	#U00d6deme Talebi_27.08.2024.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	memreduct.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	http://stream.crichd.vip/update/sscricket.php	Get hash	malicious	Unknown	Browse	162.252.214.4

Process:	C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe
File Type:	data
Category:	dropped
Size (bytes):	154282
Entropy (8bit):	7.911812979878426
Encrypted:	false
SSDEEP:	3072:SeRePwHvy/dlz1P4OPITfYgYiMVoS/Mq7YFQQsXuZ9wDCo41gDE7GcC2V:SeRQwHvy/Pz1PrjisN/Mq8oXQm4QEC2V
MD5:	E1CD0BF3C9FD4898D652589AE152EAA0
SHA1:	5F206E8623AC93B53022229C190D3E89672A5B80
SHA-256:	90AE8AC4FDEC8D1A64DA354A8BE632AE275345C912A200D0C7AA753963018E4B
SHA-512:	EEB06FB53B16978D3CAAE553908C819DF6236CD578996F88AD042B684A7F4CB689DE57E262D8BBD9D693D4540E9A2B737F0B604CC88D4190502DFBF60020B19E
Malicious:	false
Reputation:	low
Preview:	EA06.....D....Z.6..iu.v.U.T)t..I..' ....X....Y...j......X..?.z..a..c.P.5..#.....}A.I.....wY..e3X..{;.Nd.(..)i.H.;..G..,f7....t..3...T..5.Rhu).2.U..M...lI.Sz.....jj...VmC.....EV`.5.....Z]"..a.-&+...j.t...Uf....Q@1.P.X#. .._.`._<..Y.........C...,.....v.8.K. ....2.,....K.X.b..\..A.N....Nf.,l.....a..7\|..]"+..K..j...Y...s.....M\|.:m.$.a...4.....,RhU.O.W..luI...0.n.....-Q3.....q.Giw.<....[Z...J.}...../@..+<}...E.n...-..A.G).Z.-..P.....A..S.u..C#..@f..=6K.........z..i.V...N....O...s+.J...~m.m._O....q=^....U..kd.7..,V...1.\|.\.P...f.>/.K.P.G...u..... y....m......[7+..%........n......K@7.x..J..#.c........J.X[.....a...<...sB.m.B+gO.y..u.^..cz.`...............C.^..G..B ..n....!z.z.P.^#t.UZkN.T..:=..x..06..J.3...9....js.=TW...r.\I&W...J..p.li.t~H.a.........:.4F.qI..8.n..M.O...$.)$.X.ui..s:.]..(.v. ..&.9.QiU.T....jQ..".>.rg........j.Y..7K.Mf...c..fv...9._......1..f.J.>.q.Q.5.t.QS.P....aS..it*.f.K.N.5j.r.O.Kh.EF=...3:m..L.U.R..2...X`W.%B.H..7.X..QT..,1.

C:\Users\user\AppData\Local\Temp\autE1BD.tmp

Download File

Process:	C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe
File Type:	data
Category:	dropped
Size (bytes):	43656
Entropy (8bit):	7.823642651253195
Encrypted:	false
SSDEEP:	768:9voioFMTIncg3st2lHjINtjWUE+8eMPAG4iP/oDMt9bh9ibOFhc+vrMsxk:9hoSxneDIvjWkLSZYDOPibwhdDK
MD5:	2CEFC078671C2AFAEF3C6ED72FF24764
SHA1:	1F569B2FC00D80624ED01FCBECE55F5B47D5A1C8
SHA-256:	8A7E71B3829621DBB7D81C9DF224E3CFC78324576DCE5BF9274AFF9DFE9448DE
SHA-512:	AF65016BB67C74EC843D26C45F5BC599BEB75B68894231A127AF03643F9935FDC9DF4370BA09399B45F08EA3538274289FEA6C37269FCFF7B5805DAEF4A10B93
Malicious:	false
Reputation:	low
Preview:	EA06..P...(.y.jg5...)..6.Qf.Zt.gB..&s...kF.L.i.bm3....I..3.S.s.l.aL..)S9..g6.<(.9.>m2.L..)..6.U.s...3.V..j..`.NS&sj..qX..h.9.Bg5.......6.Pfs...mX..@...6.3.Q.....6...'..g4........Rf....oF.. .u.g0..KT......L.....3..&sZ..c8..m.9.Rg6.....`......... .6T@.P..3......6.P.(.0.j.T...8..V.......Q.......gS.L.3i...P.;.Aj@.....@Q..g6......3...........+S9..f....0.h...T@......@(.T.r......E"g3.L.@.ERg0...U....O.j..t..U..@...3.U.l...3.Vf.?..{R...@6..g6..lT..3..6....3.U&..d..0...J...Q...".....T.s.<.iH.D@`..!S.D. H...f....(.ZR.(....L...y....Vf...b.6..@wj...M.6.S9.8..........Z..&s:..f.f.L.,.@.].Zj`.(..O.N.Z.."mF.Mj...L.....@.%D.z...3. ......j..mX..?.jD.mU.M.3i. ....[....sO....6......@....M.....mR.M..i.<."..+.D.p.\.R. ..T...4X.!...$... ...%......3i...[ ......T..j..%V...4.:....9...(.M.4..Z.6..&. ...`.....`.EN.O. lp.yI....0..H.c.$..!..x.$.....\|.....<.eX.G.W. ..-.`..... .. ....>......-.(.0.....()..@..Z......0....T...m4.....%I.B.`$...P.L@..<.gA.H........J@.Z.....p.Vk

C:\Users\user\AppData\Local\Temp\cerecloths

Download File

Process:	C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	86022
Entropy (8bit):	4.178876925093529
Encrypted:	false
SSDEEP:	1536:PTyC/FMVQR61LdsWE+K57tKX84GP/+zKiPKxIG6wxxQM4XWcgN:PeC/FMzXLXkEaZF3O6N
MD5:	CF8EF58F67ABD2FD455589504723B3D9
SHA1:	793CA2676BEC4E616E63BD3483DB798E93E2E1A5
SHA-256:	38E7B9122F4F32031BC07E9C5B3E63FF105D90F8F5131AE7EE6E88F0A03D889A
SHA-512:	A338BF3E13C2AFE4B8197D23EBC3EFF6610AFE229992B8069DF4FEC3C92E06D38FFFC034DA40F7D569ADE7AA9D0462BABC3C9452F8A396B62089429B6FC392BD
Malicious:	false
Reputation:	low
Preview:	30G78Z35S35R38E62E65N63B38E31B65F63T63X63Y30T32F30N30M30L30J35C36Z35F37O62T38R36K62W30Y30Z30X30N30B30C36L36C38X39F34P35E38Y34L62A39S36X35B30C30C30J30D30Z30U36X36G38Z39J34G64Y38L36K62I61V37F32I30C30E30W30M30K30R36B36P38X39R35D35Z38E38U62E38T36S65P30G30D30I30K30P30S36T36Q38T39J34O35Q38N61I62C39S36F35C30P30Z30E30G30L30V36E36K38Z39Q34G64L38Z63S62Q61S36P63X30N30H30R30K30A30T36A36Y38V39Q35I35T38Q65O62Z38Z33D33Y30K30S30L30R30U30U36D36Z38Y39I34O35J39A30O62X39H33Z32R30T30Q30K30Z30S30L36K36R38X39J34V64Z39O32V62T61N32Y65R30G30R30Y30R30B30G36W36K38N39K35O35I39W34T62R38M36X34S30V30N30Q30Q30A30O36O36C38R39G34H35Q39R36I62S39S36Y63Y30C30X30H30R30Z30B36J36R38C39Y34U64W39U38E62Y61U36E63U30M30R30P30M30Z30Z36N36P38Y39S35B35I39Z61I33P33E63N30A36P36T38C39S34S35Q39O63U62Z39G36F65U30Y30S30A30X30L30W36Q36Y38L39I38D64Y34Y34N66V66X66K66H66U66Q62H61U37Y34U30O30N30O30P30T30U36P36T38Z39H39O35T34X36S66R66G66O66H66M66V62H38A36S34B30A30X30S30O30Z30X36P36K38P39Y38O35M34R38D66U66X66Q66A66K66H62Z39Z36O63R30X30Z30V30V30B3

C:\Users\user\AppData\Local\Temp\molecast

Download File

Process:	C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe
File Type:	data
Category:	dropped
Size (bytes):	244224
Entropy (8bit):	6.7028111135030475
Encrypted:	false
SSDEEP:	6144:CWDImTFG+4P8SoKJlI1tsb2acKqSmWEhck40D8chDGm:Ce4tP8SoK0c8S9EhdKlm
MD5:	D8B8F763E66853081109C0375D1A6865
SHA1:	DE3AF3A0294AF38FC5F675E37D8586402FE63933
SHA-256:	942726647273BC63683578085F2AB921B472141D402FA934F05C3D62C228AFAA
SHA-512:	C18826615A4F77556321013A35619D78058E7AA0079E73D50FE1A01D0E516A4781250EE80DE005F33576E4343A80265421D26F48FF5AC5515E2D05388E4B78C4
Malicious:	false
Reputation:	low
Preview:	...L:VU6GMKP.HU.PKBY3GI.L9VU6CMKP1KHU4PKBY3GIUL9VU6CMKP1KHU.PKBW,.GU.0.t.B..qe#!&. 9->A&$u/X8;Y7m)5.9=;.9%b.\|.i8#]3{;NGoP1KHU4P..Y3.HVL...SCMKP1KHU.PICR2LIU.:VU>CMKP1K&.7PKbY3G.VL9V.6CmKP1IHU0PKBY3GIQL9VU6CMKp5KHW4PKBY3EI..9VE6C]KP1KXU4@KBY3GIEL9VU6CMKP1KP.7P.BY3G.VL.SU6CMKP1KHU4PKBY3GIUL=VY6CMKP1KHU4PKBY3GIUL9VU6CMKP1KHU4PKBY3GIUL9VU6CMKP1KHu4PCBY3GIUL9VU6KmKPyKHU4PKBY3GI{8\.!6CM?.2KHu4PK.Z3GKUL9VU6CMKP1KHU.PK"wA4;6L9V.3CMK.2KHS4PK.Z3GIUL9VU6CMKPqKH.."..6PGIYL9VU6GMKR1KH.7PKBY3GIUL9VU6.MK.1KHU4PKBY3GIUL9V..@MKP1K.U4PIB\3..WL.cT6@MKP0KHS4PKBY3GIUL9VU6CMKP1KHU4PKBY3GIUL9VU6CMKP1KHU4PKBD...qh.K}G)W.m.2.S..J..0..6.@.8Y.z.E.....~FA..L.Ye..B.... .XN;X.....6^GM%.'.D).).....f=...P;.9...Oy.;2t.k...ov...97....?..W?&l8C7%0bj73W1$.R.JHU4P........P..lnNDN.Y0.....m!?....+6CM/P1K:U4PBY3.IULVVU6-MKPOKHUJPKB.3GI.L9Vb6CMnP1K%U4PoBY39IUL.+Z9...9B.U4PKBl..y.!...i.z..}9.J.)z..-....Pe.B#.F....E..X..B.RPvx.JJV5NJR0SG.Wx...m;RQ3AJOS=vF...c...l...$.....7HU4PKB.3G.UL9..6.MKP.K.U..KBY..I.L.V..M

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.031465187330132
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Orden de compra.000854657689654253545676785436.exe
File size:	1'163'776 bytes
MD5:	cb29bcf1cb3fc646be98d82c5d9f9eb9
SHA1:	3c7745a7f680529e340eaf621b44d00a0fb144f2
SHA256:	2423cbba54e73aee0fcc5914484f01f2f11684cdde5a3a07681d0d3fed59aa36
SHA512:	4045a11fc031c08c50ccd364cb311ce1b1e76332ea9e19eeb3b41ece59c30f8095e141dbfa10a7aded7950cbf0fdf7f2ac6f505d42928cfd22ac483b4001301a
SSDEEP:	24576:tqDEvCTbMWu7rQYlBQcBiT6rprG8atjPg3BD5:tTvC/MTQYxsWR7atjal
TLSH:	4135BF0273D1D062FFAB92334F5AE6115BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66C4B1F1 [Tue Aug 20 15:10:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FA520CEE0D3h
jmp 00007FA520CED9DFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA520CEDBBDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA520CEDB8Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FA520CF077Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FA520CF07C8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FA520CF07B1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x4578c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11a000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x4578c	0x45800	cd8568bc10b04576775524b9f7eee4f7	False	0.9057722571942446	data	7.841766618149473	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11a000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x3ca54	data			1.0003462102059548
RT_GROUP_ICON	0x11920c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x119284	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x119298	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1192ac	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1192c0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11939c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 12:02:46.098334074 CEST	49702	80	192.168.2.11	208.95.112.1
Aug 29, 2024 12:02:46.104918957 CEST	80	49702	208.95.112.1	192.168.2.11
Aug 29, 2024 12:02:46.105133057 CEST	49702	80	192.168.2.11	208.95.112.1
Aug 29, 2024 12:02:46.109308004 CEST	49702	80	192.168.2.11	208.95.112.1
Aug 29, 2024 12:02:46.114809036 CEST	80	49702	208.95.112.1	192.168.2.11
Aug 29, 2024 12:02:46.596596956 CEST	80	49702	208.95.112.1	192.168.2.11
Aug 29, 2024 12:02:46.651582956 CEST	49702	80	192.168.2.11	208.95.112.1
Aug 29, 2024 12:03:27.078346968 CEST	80	49702	208.95.112.1	192.168.2.11
Aug 29, 2024 12:03:27.078408957 CEST	49702	80	192.168.2.11	208.95.112.1
Aug 29, 2024 12:04:26.606014013 CEST	49702	80	192.168.2.11	208.95.112.1
Aug 29, 2024 12:04:26.610933065 CEST	80	49702	208.95.112.1	192.168.2.11

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 12:02:45.667668104 CEST	64996	53	192.168.2.11	1.1.1.1
Aug 29, 2024 12:02:46.092746019 CEST	53	64996	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2024 12:02:45.667668104 CEST	192.168.2.11	1.1.1.1	0x16ed	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 12:02:46.092746019 CEST	1.1.1.1	192.168.2.11	0x16ed	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49702	208.95.112.1	80	560	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:02:46.109308004 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Aug 29, 2024 12:02:46.596596956 CEST	175	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:02:45 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	06:02:41
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe"
Imagebase:	0xfd0000
File size:	1'163'776 bytes
MD5 hash:	CB29BCF1CB3FC646BE98D82C5D9F9EB9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.1528087641.0000000001310000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:02:42
Start date:	29/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe"
Imagebase:	0x980000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2777145193.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2777145193.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2778089830.0000000002CD5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0.9%
Signature Coverage:	3%
Total number of Nodes:	1967
Total number of Limit Nodes:	54

Executed Functions

Function 00FD42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00FD430D

Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A

GetCurrentProcess.KERNEL32(?,0106CB64,00000000,?,?), ref: 00FD4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00FD4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00FD4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FD4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00FD4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00FD447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00FD44A0

Strings

|O, xrefs: 010136F8
kernel32.dll, xrefs: 00FD444F
GetNativeSystemInfo, xrefs: 00FD4460

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 3f68ab76f19d29fa15df96b9aa85d74026a89ae2d2080f6abbd35726425b6621
Instruction ID: ca300ab538dcda7dbadbaa2887573ff95459bdb70cb7c037a97528c6edc60007
Opcode Fuzzy Hash: 3f68ab76f19d29fa15df96b9aa85d74026a89ae2d2080f6abbd35726425b6621
Instruction Fuzzy Hash: 54A17E3790EAC0DFC732CF6974402997EE57B26250F88D89AD4C1ABB0ED63E4548DB61

Function 00FD42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00FD50AA,?,?,00000000,00000000), ref: 00FD42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FD50AA,?,?,00000000,00000000), ref: 00FD42C9
LoadResource.KERNEL32(?,00000000,?,?,00FD50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FD4F20), ref: 010135BE
SizeofResource.KERNEL32(?,00000000,?,?,00FD50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FD4F20), ref: 010135D3
LockResource.KERNEL32(00FD50AA,?,?,00FD50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FD4F20,?), ref: 010135E6

Strings

SCRIPT, xrefs: 00FD42BF

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 779150f581d366f3b762bac67e75dbe809d34fe908aba790a38d95ecd3026e02
Instruction ID: 9a20dce47b81f62748ad2d0d4817700ed697be4a802990822c8061a239cd0dd6
Opcode Fuzzy Hash: 779150f581d366f3b762bac67e75dbe809d34fe908aba790a38d95ecd3026e02
Instruction Fuzzy Hash: 29117C71200701BFE7218B65DD48F277BBAEBC5B62F14416AF886D7254DB76E8009670

Function 01012BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00FD2B6B

Part of subcall function 00FD3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010A1418,?,00FD2E7F,?,?,?,00000000), ref: 00FD3A78

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,01092224), ref: 01012C10
ShellExecuteW.SHELL32(00000000,?,?,01092224), ref: 01012C17

Strings

runas, xrefs: 01012C0B

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: b908ab97b47e6a6cb2ca58c589158988ba8ee5839529fe7ed2d66092102a2dd2
Instruction ID: 2195e01886312c64bc9bf9f35f8201d0d7d9f5d7834452a629c22947a2c6263f
Opcode Fuzzy Hash: b908ab97b47e6a6cb2ca58c589158988ba8ee5839529fe7ed2d66092102a2dd2
Instruction Fuzzy Hash: 6911D2316082016AC715FF64DD5196EBBA6ABA1750F4C041FF2C2462A2CF7D8A09B752

Function 0103DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,01015222), ref: 0103DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0103DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0103DBEE
FindClose.KERNEL32(00000000), ref: 0103DBFA

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 5636fbe5babc33fd04b1c5df193f8701aa0757787e722d7b48f6947f3cc79c62
Instruction ID: a80e2ed19f3b0f52dad72d31fde7b219afd0fb06a1e6629289c2e7c363d68361
Opcode Fuzzy Hash: 5636fbe5babc33fd04b1c5df193f8701aa0757787e722d7b48f6947f3cc79c62
Instruction Fuzzy Hash: F7F0EC7043051597A2306BBC9D0D46A77AC9E41334B404742F8F5C10F0EBB5995447D5

Function 00FDD730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00FDD807
timeGetTime.WINMM ref: 00FDDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FDDB28
TranslateMessage.USER32(?), ref: 00FDDB7B
DispatchMessageW.USER32(?), ref: 00FDDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FDDB9F
Sleep.KERNEL32(0000000A), ref: 00FDDBB1

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: dc1f6823e225c8353a8f3ab58ec25c58db943e98e2e7c1c036e4c11eab88b1c9
Instruction ID: 1de6216cec3ae3ca10fdb80e23ff6325f78efa3a025fc81343fa39cfd9737e23
Opcode Fuzzy Hash: dc1f6823e225c8353a8f3ab58ec25c58db943e98e2e7c1c036e4c11eab88b1c9
Instruction Fuzzy Hash: AA421330608342DFD739DF24C894BAABBE2BF85314F18855AE4D587391D775E844EB82

Function 00FD2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FD2D07
RegisterClassExW.USER32(00000030), ref: 00FD2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FD2D42
InitCommonControlsEx.COMCTL32(?), ref: 00FD2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FD2D6F
LoadIconW.USER32(000000A9), ref: 00FD2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FD2D94

Strings

AutoIt v3 GUI, xrefs: 00FD2D23
TaskbarCreated, xrefs: 00FD2D37
0, xrefs: 00FD2CE9
+, xrefs: 00FD2CF0

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: aca0c8aabbff89e1949a99ae1d8d67146aae8cec6e182723749481d1882e86f7
Instruction ID: c3f78532a1c807ba05fda7af368226b56545a90e939e9de83918291335868e68
Opcode Fuzzy Hash: aca0c8aabbff89e1949a99ae1d8d67146aae8cec6e182723749481d1882e86f7
Instruction Fuzzy Hash: 632117B5D01358AFEB20DFA4E949BDDBBB8FB08700F00811AF591A6294D7BA0544CF91

Function 0101065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0101039A: CreateFileW.KERNELBASE(00000000,00000000,?,01010704,?,?,00000000,?,01010704,00000000,0000000C), ref: 010103B7

GetLastError.KERNEL32 ref: 0101076F
__dosmaperr.LIBCMT ref: 01010776
GetFileType.KERNELBASE(00000000), ref: 01010782
GetLastError.KERNEL32 ref: 0101078C
__dosmaperr.LIBCMT ref: 01010795
CloseHandle.KERNEL32(00000000), ref: 010107B5
CloseHandle.KERNEL32(?), ref: 010108FF
GetLastError.KERNEL32 ref: 01010931
__dosmaperr.LIBCMT ref: 01010938

Strings

H, xrefs: 010108BD

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 864f4027594d7c233ab582dc9384d7fb6ab44ab8f9fee991661cc61ae74a9492
Instruction ID: c046e7d17304479e691a7d271609d77846a4ff5abb0683aa099704938a0cfe78
Opcode Fuzzy Hash: 864f4027594d7c233ab582dc9384d7fb6ab44ab8f9fee991661cc61ae74a9492
Instruction Fuzzy Hash: 99A13832A041098FDF19EF68D851BAE3BE0AF06324F14419DF8D5EB2D9D7398952CB91

Function 00FD344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FD3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010A1418,?,00FD2E7F,?,?,?,00000000), ref: 00FD3A78

Part of subcall function 00FD3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FD3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00FD356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0101318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 010131CE
RegCloseKey.ADVAPI32(?), ref: 01013210
_wcslen.LIBCMT ref: 01013277
_wcslen.LIBCMT ref: 01013286

Strings

Include, xrefs: 01013184, 010131C5
\, xrefs: 0101328C
Software\AutoIt v3\AutoIt, xrefs: 00FD3560
\Include\, xrefs: 00FD3527

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 2503d0c440692a0fdf4d49ac1760902b3f4fc02293cfc388e55fa4d2f1f11891
Instruction ID: 18256a687bb4a9c0a6c31cf53867051ef4c9a8c7b127a713bc0eed05d661d3c7
Opcode Fuzzy Hash: 2503d0c440692a0fdf4d49ac1760902b3f4fc02293cfc388e55fa4d2f1f11891
Instruction Fuzzy Hash: 9971E4724043019ED324EF69DC818ABBBE8FF86750F84843EF5C497264EB7A9548DB52

Function 00FD2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FD2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00FD2B9D
LoadIconW.USER32(00000063), ref: 00FD2BB3
LoadIconW.USER32(000000A4), ref: 00FD2BC5
LoadIconW.USER32(000000A2), ref: 00FD2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FD2BEF
RegisterClassExW.USER32(?), ref: 00FD2C40

Part of subcall function 00FD2CD4: GetSysColorBrush.USER32(0000000F), ref: 00FD2D07
Part of subcall function 00FD2CD4: RegisterClassExW.USER32(00000030), ref: 00FD2D31
Part of subcall function 00FD2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FD2D42
Part of subcall function 00FD2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00FD2D5F
Part of subcall function 00FD2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FD2D6F
Part of subcall function 00FD2CD4: LoadIconW.USER32(000000A9), ref: 00FD2D85
Part of subcall function 00FD2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FD2D94

Strings

#, xrefs: 00FD2C16
AutoIt v3, xrefs: 00FD2C2F
0, xrefs: 00FD2C0F

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 5748b6c0cb35e84f66f941b2b17884b6edcc36b79a2f7e64fb8855132e563b45
Instruction ID: db43bd0a8cc39adac1eed36ab4823e4ee7809fb39f5c15c2a3acca650c6475ba
Opcode Fuzzy Hash: 5748b6c0cb35e84f66f941b2b17884b6edcc36b79a2f7e64fb8855132e563b45
Instruction Fuzzy Hash: AA218E76E00314AFDB209FA5E944B9D7FF5FB08B50F40801AF584A2394D3BA0540DF90

Function 00FD3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00FD316A,?,?), ref: 00FD31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00FD316A,?,?), ref: 00FD3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FD3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00FD316A,?,?), ref: 00FD3232
CreatePopupMenu.USER32 ref: 00FD3246
PostQuitMessage.USER32(00000000), ref: 00FD3267

Strings

TaskbarCreated, xrefs: 00FD322D

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: a7781a905c0220edc4fae11d086ea3ef84c7bfc5d201ae992257bc2c964b9701
Instruction ID: b44e235fa34e885523597182ec83334bbf163cb4746656d8545beef21e235f4c
Opcode Fuzzy Hash: a7781a905c0220edc4fae11d086ea3ef84c7bfc5d201ae992257bc2c964b9701
Instruction Fuzzy Hash: 6941E437A00201AAEB246FB8DD09B793A5AF705351F5C411BF7D2C6395CA7E9A40B362

Function 01008D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343f3fa5452264d369bb29e5d2be5fd7461fb79d65f7e3c0b9dbaae0ca4120c3
Instruction ID: 062819872a75c00b55280d3a0eab8458b490428f348d88a42a49aed3d2cbea9d
Opcode Fuzzy Hash: 343f3fa5452264d369bb29e5d2be5fd7461fb79d65f7e3c0b9dbaae0ca4120c3
Instruction Fuzzy Hash: EDC1BF74D04249AFEB22DFACD844BADBFB4BF09314F04419AF698A72D2C7359941CB61

Function 013025F0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 013026C1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 013028E7

Memory Dump Source

Source File: 00000000.00000002.1528063262.0000000001300000.00000040.00001000.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1300000_Orden de compra.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: a2a461a9fb5c37a14576e5495150c4bc8b2549d178dae4cb5baf4c5beee99c35
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: 18A10874E00209EBDB15CFA8C8A8BEEBBB5BF48708F208559E505BB2C1D7759A41CF54

Function 00FD2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FD2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FD2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00FD1CAD,?), ref: 00FD2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00FD1CAD,?), ref: 00FD2CCF

Strings

AutoIt v3, xrefs: 00FD2C89, 00FD2C8E, 00FD2C8F
edit, xrefs: 00FD2CAC

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 6af094bf6a0cbca682249db23407bd25431b1b282bafe0ca61098e5037ad3c88
Instruction ID: a93a18b714e900f76310d983049d1f86ebff188efbb9c3ffd160354d1955f61a
Opcode Fuzzy Hash: 6af094bf6a0cbca682249db23407bd25431b1b282bafe0ca61098e5037ad3c88
Instruction Fuzzy Hash: 83F0DA765406A07AEB311B17AC0CE772EBDE7C6F60F40805EF980A6554C6BA1850DBB0

Function 013023B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 013022A0: Sleep.KERNELBASE(000001F4), ref: 013022B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 013024E0

Strings

GIUL9VU6CMKP1KHU4PKBY3, xrefs: 01302543, 01302546

Memory Dump Source

Source File: 00000000.00000002.1528063262.0000000001300000.00000040.00001000.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1300000_Orden de compra.jbxd

Similarity

API ID: CreateFileSleep
String ID: GIUL9VU6CMKP1KHU4PKBY3
API String ID: 2694422964-3264583248
Opcode ID: e08a6ab574d13aeb56a35fc1689c0b7ad558147d637f1b1f085a8f74527d861e
Instruction ID: 3749337e3b14a0bc13d983b21a699c980b2228f2b69653e870ec07dd9f95e9bb
Opcode Fuzzy Hash: e08a6ab574d13aeb56a35fc1689c0b7ad558147d637f1b1f085a8f74527d861e
Instruction Fuzzy Hash: CE517530D04248DAEF12DBE4C858BEFBBB9AF15304F044199E6497B2C1D7BA5B44CB65

Function 01042947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01042C05
DeleteFileW.KERNEL32(?), ref: 01042C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01042C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01042CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01042CC0

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 8ced5df396b76b65f58199675e74cfb98131597874d73defc2a72bfd35b13bdf
Instruction ID: a63eff196d25636b92cb02e95866bdccbf3afe0d9e3892897900dc3ac2b9c6c1
Opcode Fuzzy Hash: 8ced5df396b76b65f58199675e74cfb98131597874d73defc2a72bfd35b13bdf
Instruction Fuzzy Hash: BCB160B1E0011DABDF21DBA4DC85EEE7BBDEF48340F0440A6F649E6151EA359A448FA1

Function 00FD3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00FD3B0F,SwapMouseButtons,00000004,?), ref: 00FD3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00FD3B0F,SwapMouseButtons,00000004,?), ref: 00FD3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00FD3B0F,SwapMouseButtons,00000004,?), ref: 00FD3B83

Strings

Control Panel\Mouse, xrefs: 00FD3B3E

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 3eb3e8727deb137a3fa924c0ada26fcd4bdc96114e2067c6e751f1fc54e08ecf
Instruction ID: 39c419590c175170c2e9e2ae6e5a0efa0853f9fd37f2d10228e1dc9b1e5fdf20
Opcode Fuzzy Hash: 3eb3e8727deb137a3fa924c0ada26fcd4bdc96114e2067c6e751f1fc54e08ecf
Instruction Fuzzy Hash: B8115AB5510208FFEB208FA4DC44AAEB7B9EF41750B14446BF941D7214D2319F40A760

Function 013012A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01301ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01301AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01301B13

Memory Dump Source

Source File: 00000000.00000002.1528063262.0000000001300000.00000040.00001000.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1300000_Orden de compra.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction ID: e72085aec20e4a5fe7f7e6f866ad85f0533c05536c6210569ca7649a085814e1
Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction Fuzzy Hash: CD620B30A14258DBEB25CFA4C850BDEB376EF58304F1091A9D20DEB2D4E7759E81CB59

Function 00FDDFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 010232B7

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 00305bef91e5bf62c32ced710e1b82651f58400cb8dbededafd20d0d529a9ab9
Instruction ID: c557b984e7b9a1a4709e5d363269930d59b3b08d4c0283b792c959f9de920737
Opcode Fuzzy Hash: 00305bef91e5bf62c32ced710e1b82651f58400cb8dbededafd20d0d529a9ab9
Instruction Fuzzy Hash: 32C26A75E00215CFCB24EF58C880BADB7B2BF09310F28856AE955AF351D379AD41EB91

Function 00FD3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 010133A2

Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FD3A04

Strings

Line: , xrefs: 010133EB

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 5f47c029126f5f922a6d3a5ab90b3e8200662c3368bd73432195051af8197354
Instruction ID: a30fad9011d538f131692e8177828903b99432fb2e9a0dafff3da6383c6931ad
Opcode Fuzzy Hash: 5f47c029126f5f922a6d3a5ab90b3e8200662c3368bd73432195051af8197354
Instruction Fuzzy Hash: 9131E272508304AAD325EB20DC45BEFB7DAAF40720F08452FF6D982285DB789A48D7D3

Function 00FEFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00FF0668

Part of subcall function 00FF32A4: RaiseException.KERNEL32(?,?,?,00FF068A,?,010A1444,?,?,?,?,?,?,00FF068A,00FD1129,01098738,00FD1129), ref: 00FF3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00FF0685

Strings

Unknown exception, xrefs: 00FF0692

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 0700ba37a045dc253a34298f4f34ab1782dd6f1988ec7f186b2347b3ccb56b1a
Instruction ID: 6549ce84ff6b2fa1da23615da2e789f0c6d8cd7ba87a70eb96777c81d314ab7b
Opcode Fuzzy Hash: 0700ba37a045dc253a34298f4f34ab1782dd6f1988ec7f186b2347b3ccb56b1a
Instruction Fuzzy Hash: 10F02835D0020D738F10BA65DC46D7E7B6C5E00320B504071BA14C55B2EF74EA29F5C0

Function 01043017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0104302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 01043044

Strings

aut, xrefs: 01043038

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 5585dc3ee21d4a41873f90b30cb9faeb5af0b6e5912fb292a6e538f054bdcb23
Instruction ID: b0de322f861074c1c4c4526cad7b494af72b2df92950950543181a42fd6af11b
Opcode Fuzzy Hash: 5585dc3ee21d4a41873f90b30cb9faeb5af0b6e5912fb292a6e538f054bdcb23
Instruction Fuzzy Hash: 79D05B7150031467DB309695DD0DFC73A6CD704650F000151BAD5D6095DAB99544CBD0

Function 01057F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 010582F5
TerminateProcess.KERNEL32(00000000), ref: 010582FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 010584DD

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 21749f1d429605b941f6fec2fb5f480f67673cdc6bc0e1eea523795fa915595b
Instruction ID: 0b227fbe29a2293085e8124056c631bc4286e5785783f961b1b12418b94dd0e1
Opcode Fuzzy Hash: 21749f1d429605b941f6fec2fb5f480f67673cdc6bc0e1eea523795fa915595b
Instruction Fuzzy Hash: BE127A71A083419FD754DF29C484B6ABBE5BF88318F04895EEC898B352CB35E945CF92

Function 01005AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c5428bc4effedf1078349b1bd301cec1e1b94add8360eb92126d15f4a3d872
Instruction ID: 9250ca9235612dbf8b1070ec45a9a7cef95f27818fb606962aa378a9171510bf
Opcode Fuzzy Hash: 44c5428bc4effedf1078349b1bd301cec1e1b94add8360eb92126d15f4a3d872
Instruction Fuzzy Hash: ED519E7190020E9FEB239FA8CD45EFEBFB8AF45314F040199E585A72D1D6759A01CF61

Function 00FD10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FD1BF4
Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FD1BFC
Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FD1C07
Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FD1C12
Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FD1C1A
Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FD1C22

Part of subcall function 00FD1B4A: RegisterWindowMessageW.USER32(00000004,?,00FD12C4), ref: 00FD1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FD136A
OleInitialize.OLE32 ref: 00FD1388
CloseHandle.KERNEL32(00000000,00000000), ref: 010124AB

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 170fb01820fc612200cebe44679959c0c14f181d9825a65d0a17c3ccc159b4a4
Instruction ID: 030bfdad99d34ac0324d188fe46c93549dcb644099facb2f25f28600ffb19069
Opcode Fuzzy Hash: 170fb01820fc612200cebe44679959c0c14f181d9825a65d0a17c3ccc159b4a4
Instruction Fuzzy Hash: A271CBB8901A10CFC3A8EF79E5456953AE5FB49384FD8822AD0DAC7389EB3E4401CF51

Function 010086AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,010085CC,?,01098CC8,0000000C), ref: 01008704
GetLastError.KERNEL32(?,010085CC,?,01098CC8,0000000C), ref: 0100870E
__dosmaperr.LIBCMT ref: 01008739

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 9625e69e5861983343c146a167b76f0e4a3d6853d0f893a4b9dfbe02df0d183d
Instruction ID: 3e572dd623319e50030c0fa135d6f1f4783bc1fad326ff9ccf954bb002b2149a
Opcode Fuzzy Hash: 9625e69e5861983343c146a167b76f0e4a3d6853d0f893a4b9dfbe02df0d183d
Instruction Fuzzy Hash: 45018232E0426016F6B36238AC4477E2FC96B95734F26819BE9C89B0D7DE65C4818750

Function 01042FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,01042CD4,?,?,?,00000004,00000001), ref: 01042FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,01042CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01043006
CloseHandle.KERNEL32(00000000,?,01042CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0104300D

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: f37348d795e27acda81005bb195c02715799a3c537b671903d31fb02512d40c2
Instruction ID: 904ba85e6ae246260efa49a88866bcbedc1f4adf96e287718e23786ad7f5e928
Opcode Fuzzy Hash: f37348d795e27acda81005bb195c02715799a3c537b671903d31fb02512d40c2
Instruction Fuzzy Hash: ADE0863228022077F6302659BD0DF8B3E5CDB86B71F104224F7E9790D086A6250143A8

Function 00FE1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00FE17F6

Strings

CALL, xrefs: 00FE17C6

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: ce9df4c98813566037a8cdf512eace052275a756ee52166c8d75bd31f26c3a3f
Instruction ID: 21eb903e0b337c4cfcd7d80fa3aa37b832fa298c8769b48ce0f4b0675d37913a
Opcode Fuzzy Hash: ce9df4c98813566037a8cdf512eace052275a756ee52166c8d75bd31f26c3a3f
Instruction Fuzzy Hash: ED227D706083819FC714DF16C880B2ABBF1BF85314F18896DF8968B362D776E945DB92

Function 01046EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01046F6B

Part of subcall function 00FD4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 01046F5A, 01046F63

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 0dcc7c8e76f483d8d3b0268ffa537c428adc674922931a22bb0432f14e7970ea
Instruction ID: 8393944ad3275175dd219508259e7fbe9cd9e0de12ba228406f19b2d9296e342
Opcode Fuzzy Hash: 0dcc7c8e76f483d8d3b0268ffa537c428adc674922931a22bb0432f14e7970ea
Instruction Fuzzy Hash: B4B195711082018FCB15EF24C8919AEB7E6AF94300F48496EF5D697362EB34ED49DB92

Function 00FD2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 01012C8C

Part of subcall function 00FD3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD3A97,?,?,00FD2E7F,?,?,?,00000000), ref: 00FD3AC2

Part of subcall function 00FD2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FD2DC4

Strings

X, xrefs: 01012C5A

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 09c3c4898de44209781de2d079df9bcfd17cf146ff41df96a55a939efef2bbc1
Instruction ID: d88c40635c814e1cb6dde71213d9c3ef727d5bd3fb8b241054bbfeeb2507fd93
Opcode Fuzzy Hash: 09c3c4898de44209781de2d079df9bcfd17cf146ff41df96a55a939efef2bbc1
Instruction Fuzzy Hash: 1A21F371A002489BDF41EF94CC45BEE7BF9AF49304F04805AE544E7345DBB856899BA1

Function 01042557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 01042587

Strings

EA06, xrefs: 010425B9

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: ff28abbbfcf1955e75fc027889a6de949fbf594463ab02ef2a91e84421e75de8
Instruction ID: 3e101d4962b70f8c7939fbae7ec3d5edf49c9926df9d5d9cd9ebd2d105274bfc
Opcode Fuzzy Hash: ff28abbbfcf1955e75fc027889a6de949fbf594463ab02ef2a91e84421e75de8
Instruction Fuzzy Hash: 2B01B9719442587EDF18D7A8CC56EBE7BF89F05305F00455AF193D6181E5B8E704DB60

Function 00FD3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FD3908

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 8d7d62f0a00c138c72fbc698890493c0259c53978ce34a70fd3f64220eb9c7be
Instruction ID: c3d448abb41be867d5d0b24c8ca225ffe8be12ad6ee3bbb6f6bc5c81f8e8629c
Opcode Fuzzy Hash: 8d7d62f0a00c138c72fbc698890493c0259c53978ce34a70fd3f64220eb9c7be
Instruction Fuzzy Hash: 373193729047019FE720DF24D484797BBE8FB49718F04092EF6DA97340E7B6AA44DB52

Function 00FDB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00FDBB4E

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 45227eac1fbc1206a753151aa8a11ccfbeda003d5a2bda4cf367a90fae922894
Instruction ID: 74f70b8f6bf049271a868a4353392cef63fbf68a4fbe97bab7272c6edcaf19ad
Opcode Fuzzy Hash: 45227eac1fbc1206a753151aa8a11ccfbeda003d5a2bda4cf367a90fae922894
Instruction Fuzzy Hash: 0832EC31A00219DFDB20CF58C894BBEB7BAEF44310F19805AF985AB355C778AD41EB91

Function 0130129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01301ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01301AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01301B13

Memory Dump Source

Source File: 00000000.00000002.1528063262.0000000001300000.00000040.00001000.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1300000_Orden de compra.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: 0ed57b5a68601602e58bc3e68c3098e1b036b059b48bf19f2277555e773eb4c0
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: 8212BD24E24658C6EB24DF64D8507DEB272EF68300F1090E9910DEB7A5E77A4F81CB5A

Function 00FD4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FD4EDD,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E9C
Part of subcall function 00FD4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FD4EAE
Part of subcall function 00FD4E90: FreeLibrary.KERNEL32(00000000,?,?,00FD4EDD,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4EFD

Part of subcall function 00FD4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,01013CDE,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E62
Part of subcall function 00FD4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FD4E74
Part of subcall function 00FD4E59: FreeLibrary.KERNEL32(00000000,?,?,01013CDE,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E87

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: d11dbeee35e29109e1896679d2ccca8c54aece4c1ce260720c677a294205f5c1
Instruction ID: 531c4ac09412a6fc11e8cc4abc51feda5b6f890c6eea477f5dfed4a20dac05b3
Opcode Fuzzy Hash: d11dbeee35e29109e1896679d2ccca8c54aece4c1ce260720c677a294205f5c1
Instruction Fuzzy Hash: DC110A32600205ABDF14FF64DD16FAD77A6AF40B10F14442FF592AB2E1DE78AA05B750

Function 01008402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 01008440

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: d374f3d311a6b5af67ddea401336bcd465707ede16adf6be6bbead75dbd26a5f
Instruction ID: 88115d139422b21e92edd4a02dad9b110e91a9222586bb2933ccadbb71cc8f35
Opcode Fuzzy Hash: d374f3d311a6b5af67ddea401336bcd465707ede16adf6be6bbead75dbd26a5f
Instruction Fuzzy Hash: 8211487190410AAFDB06DF58E9409DE7BF9FF48300F01809AF848AB341DB31DA11CBA4

Function 01005000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01004C7D: RtlAllocateHeap.NTDLL(00000008,00FD1129,00000000,?,01002E29,00000001,00000364,?,?,?,00FFF2DE,01003863,010A1444,?,00FEFDF5,?), ref: 01004CBE

_free.LIBCMT ref: 0100506C

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 5e8dca7e150cf7d344b10f94ded27be0a59cbca9c17a02b67e705159b1b4137a
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 7E012B722043055BF323CE599C4499EFBECFB85270F25051DE1C4872C0EA306805CA74

Function 00FFE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 2870e560871c4e9d6c1568b27c5cd85f9a547272a3a8b62ad37626ae1d7dc924
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: F6F02D32920E1C96D7333E658C04BBA33989F62330F100716F665D71F0DB74D401A9A5

Function 01004C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00FD1129,00000000,?,01002E29,00000001,00000364,?,?,?,00FFF2DE,01003863,010A1444,?,00FEFDF5,?), ref: 01004CBE

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 19164ea08e5f6952d95dc9055c021db33abc34fa1ce1c8905e8a35033fe88cd6
Instruction ID: 807cca69f80908dd42bc034b934ae2fbcc20a3f088263ea11cd351e962c9dfce
Opcode Fuzzy Hash: 19164ea08e5f6952d95dc9055c021db33abc34fa1ce1c8905e8a35033fe88cd6
Instruction Fuzzy Hash: CDF0B43160022C67FBA35E669C09F6B3BC8AF417A0F084161FB99EA1D4CB35D40046E8

Function 01003820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6,?,00FD1129), ref: 01003852

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d871a61536783a69ec361397fd92ac5da58bf10246a05de0707c7bd82dfcde5d
Instruction ID: d5884f2b058cbf24406a722b06812c2019f863f25db3f4f51ab3928b72c925c2
Opcode Fuzzy Hash: d871a61536783a69ec361397fd92ac5da58bf10246a05de0707c7bd82dfcde5d
Instruction Fuzzy Hash: 77E065311017299EF7732A6A9C05BAB3A89BF426B0F0501E1FED59E5D1DB25EA0183F1

Function 00FD4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4F6D

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 84347deee13fbdfc610fe230a70d6f23ce87fccfc4c762eb857deefa1d527ec7
Instruction ID: 758da958ad098c2cfab47a6241142af78be3d9bcc26c12b3670cf7f4fd82b309
Opcode Fuzzy Hash: 84347deee13fbdfc610fe230a70d6f23ce87fccfc4c762eb857deefa1d527ec7
Instruction Fuzzy Hash: 4FF03071505751CFDB359F64D490922BBF5AF14329318897FE1EA83630C731A844EF10

Function 00FD2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FD2DC4

Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: f7adc9df84ddb6a63cea3d3a7f8b355fa40f5f813c1b0d66107d0914ac88fd9a
Instruction ID: 48ac6af07303ca716591873c3471a1a5e296cb743c86dd32b97bc22756cb9cfe
Opcode Fuzzy Hash: f7adc9df84ddb6a63cea3d3a7f8b355fa40f5f813c1b0d66107d0914ac88fd9a
Instruction Fuzzy Hash: EFE0CD726041245BC721A2589C05FDA77DDDFC8790F040076FD49D724CD974AD808650

Function 01042693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 010426B5

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: a50740272028c7a3aed4e32c4aeaae7153eeca5da09cdb0cb1b0370efab8cc8a
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: A6E04FB0609B005FDF396E2CA8917B677E99F4A340F00086EF6DB93262E57268458A4D

Function 00FD2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00FD3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FD3908

Part of subcall function 00FDD730: GetInputState.USER32 ref: 00FDD807

SetCurrentDirectoryW.KERNEL32(?), ref: 00FD2B6B

Part of subcall function 00FD30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00FD314E

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 532a4879d5e4bb721bc41409a16d6a8bad6c1ebefbed8736fd71b07001b79c4c
Instruction ID: 79fa7a0aa32b944c6d4863f1f671b04a94e653d01f646aca1beb22feb4051445
Opcode Fuzzy Hash: 532a4879d5e4bb721bc41409a16d6a8bad6c1ebefbed8736fd71b07001b79c4c
Instruction Fuzzy Hash: 7FE0263270420402CA04BB74AC1246DB74B9BD1351F88053FF28283353CE7D4A456352

Function 0101039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,01010704,?,?,00000000,?,01010704,00000000,0000000C), ref: 010103B7

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4e3a0b452ff7ccdb9f1555dc64106fe0bf60d66870a336a6f127f754342134f5
Instruction ID: d6fb79117f2053f2d6affabce41156853937d56249e1fc94309cdac6f161e810
Opcode Fuzzy Hash: 4e3a0b452ff7ccdb9f1555dc64106fe0bf60d66870a336a6f127f754342134f5
Instruction Fuzzy Hash: 50D06C3204010DFBDF128F84DD06EDA3BAAFB48714F014000FE5856020C736E821AB90

Function 00FD1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00FD1CBC

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 3303c62dd2069b02f761bdd6db85cdfd646d25b76e500510769427ee9d2f6209
Instruction ID: 8b1f48b39f199d850f188b09c2e32a8d2087fcdb776cedf2e376f5d70f0e50e9
Opcode Fuzzy Hash: 3303c62dd2069b02f761bdd6db85cdfd646d25b76e500510769427ee9d2f6209
Instruction Fuzzy Hash: EFC09B36280704DFF2344A90BD4AF107755B348B10F448001F6C9555D7C3B71450DB50

Function 00FEFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00FEFD1F

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 058c9a025ae5baf8904e757122ea37850947b6cd739bb39bdb1a4f095e395d93
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: D9311A75A00149DBD728CF5AD480A69FBA1FF49310B7486A5E809CF651E731EEC5EBC0

Function 013022A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 013022B1

Memory Dump Source

Source File: 00000000.00000002.1528063262.0000000001300000.00000040.00001000.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1300000_Orden de compra.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: a0f9273c6febfcedb835bc99cf963694c85b9f67ff78ba10af719879b9132be2
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: D8E0BF7494010E9FDB00EFA4D54969E7BB4EF04301F100161FD0592281D63199508A62

Non-executed Functions

Function 01069576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0106961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0106965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0106969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010696C9
SendMessageW.USER32 ref: 010696F2
GetKeyState.USER32(00000011), ref: 0106978B
GetKeyState.USER32(00000009), ref: 01069798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 010697AE
GetKeyState.USER32(00000010), ref: 010697B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010697E9
SendMessageW.USER32 ref: 01069810
SendMessageW.USER32(?,00001030,?,01067E95), ref: 01069918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0106992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 01069941
SetCapture.USER32(?), ref: 0106994A
ClientToScreen.USER32(?,?), ref: 010699AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 010699BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010699D6
ReleaseCapture.USER32 ref: 010699E1
GetCursorPos.USER32(?), ref: 01069A19
ScreenToClient.USER32(?,?), ref: 01069A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 01069A80
SendMessageW.USER32 ref: 01069AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 01069AEB
SendMessageW.USER32 ref: 01069B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 01069B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 01069B4A
GetCursorPos.USER32(?), ref: 01069B68
ScreenToClient.USER32(?,?), ref: 01069B75
GetParent.USER32(?), ref: 01069B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 01069BFA
SendMessageW.USER32 ref: 01069C2B
ClientToScreen.USER32(?,?), ref: 01069C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 01069CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 01069CDE
SendMessageW.USER32 ref: 01069D01
ClientToScreen.USER32(?,?), ref: 01069D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 01069D82

Part of subcall function 00FE9944: GetWindowLongW.USER32(?,000000EB), ref: 00FE9952

GetWindowLongW.USER32(?,000000F0), ref: 01069E05

Strings

@GUI_DRAGID, xrefs: 0106997D
F, xrefs: 01069D07

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: b96ec53b55a4f4320d20e15ca76bdc34b4ee4f318efdc167f5292175f96d7965
Instruction ID: bc1c309c7c99d1527d03c21140360d2bbec3afd5f6d5a80b944bc77a6a8719f8
Opcode Fuzzy Hash: b96ec53b55a4f4320d20e15ca76bdc34b4ee4f318efdc167f5292175f96d7965
Instruction Fuzzy Hash: 75428B34204341AFEB25CF28C944AAABBE9FF4D318F040659F6D9876A1D776E850CF51

Function 01064873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 010648F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 01064908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 01064927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0106494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0106495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0106497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 010649AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 010649D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 01064A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01064A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01064A7E
IsMenu.USER32(?), ref: 01064A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01064AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01064B20
GetWindowLongW.USER32(?,000000F0), ref: 01064B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 01064BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 01064C82
wsprintfW.USER32 ref: 01064CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01064CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 01064CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01064D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01064D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 01064D5A

Strings

%d/%02d/%02d, xrefs: 01064CA8

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 491416010d6d5f7e0d7f141726aa9d2b054b302fe2da56f694893873a725b262
Instruction ID: 57353563de1f34de50c8b69ba6af0bedbc1eb7c933b3c4bc2ba3d66ba378ea6d
Opcode Fuzzy Hash: 491416010d6d5f7e0d7f141726aa9d2b054b302fe2da56f694893873a725b262
Instruction Fuzzy Hash: 56122331600244ABFB259F28DC49FAE7BF8EF49710F044169F695DB2E1DB78A940CB50

Function 00FEF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00FEF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0102F474
IsIconic.USER32(00000000), ref: 0102F47D
ShowWindow.USER32(00000000,00000009), ref: 0102F48A
SetForegroundWindow.USER32(00000000), ref: 0102F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0102F4AA
GetCurrentThreadId.KERNEL32 ref: 0102F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0102F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0102F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0102F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0102F4DE
SetForegroundWindow.USER32(00000000), ref: 0102F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0102F4F6
keybd_event.USER32(00000012,00000000), ref: 0102F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0102F50B
keybd_event.USER32(00000012,00000000), ref: 0102F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0102F519
keybd_event.USER32(00000012,00000000), ref: 0102F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0102F528
keybd_event.USER32(00000012,00000000), ref: 0102F52D
SetForegroundWindow.USER32(00000000), ref: 0102F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0102F557

Strings

Shell_TrayWnd, xrefs: 0102F46F

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 9dfd5b79de74c415b44c299c254640a8633fa5de87b095c9fe1564f5b2e1e952
Instruction ID: 096a6e357637c802f38b52a7af85cca28bd3472e33fbe5221648045364ae3665
Opcode Fuzzy Hash: 9dfd5b79de74c415b44c299c254640a8633fa5de87b095c9fe1564f5b2e1e952
Instruction Fuzzy Hash: 26316371A40228BBFB316BB55D4AFBF7EBCEB48B50F100056F681E61D1C6B65940AB60

Function 01031201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 010316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0103170D
Part of subcall function 010316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0103173A
Part of subcall function 010316C3: GetLastError.KERNEL32 ref: 0103174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 01031286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 010312A8
CloseHandle.KERNEL32(?), ref: 010312B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 010312D1
GetProcessWindowStation.USER32 ref: 010312EA
SetProcessWindowStation.USER32(00000000), ref: 010312F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 01031310

Part of subcall function 010310BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,010311FC), ref: 010310D4
Part of subcall function 010310BF: CloseHandle.KERNEL32(?,?,010311FC), ref: 010310E9

Strings

winsta0, xrefs: 010312CC
default, xrefs: 0103130B
, xrefs: 0103125A

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 7d20681aa5dfe3f423a42502ddaf1ab3307bd8f7a0b1a0cf20f903da8aa0cb3a
Instruction ID: 2609fc78dde7f0251200bb50a70782f0b8686f62661bd66ae53c4ac1f914204d
Opcode Fuzzy Hash: 7d20681aa5dfe3f423a42502ddaf1ab3307bd8f7a0b1a0cf20f903da8aa0cb3a
Instruction Fuzzy Hash: 24819F71900309AFEF219FA9DD49BEE7FBDEF48700F044159FA90A61A0CB799944CB20

Function 01030B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 010310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01031114
Part of subcall function 010310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031120
Part of subcall function 010310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 0103112F
Part of subcall function 010310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031136
Part of subcall function 010310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0103114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01030BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01030C00
GetLengthSid.ADVAPI32(?), ref: 01030C17
GetAce.ADVAPI32(?,00000000,?), ref: 01030C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01030C6D
GetLengthSid.ADVAPI32(?), ref: 01030C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 01030C8C
HeapAlloc.KERNEL32(00000000), ref: 01030C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 01030CB4
CopySid.ADVAPI32(00000000), ref: 01030CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01030CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01030D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 01030D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030D45
HeapFree.KERNEL32(00000000), ref: 01030D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030D55
HeapFree.KERNEL32(00000000), ref: 01030D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030D65
HeapFree.KERNEL32(00000000), ref: 01030D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 01030D78
HeapFree.KERNEL32(00000000), ref: 01030D7F

Part of subcall function 01031193: GetProcessHeap.KERNEL32(00000008,01030BB1,?,00000000,?,01030BB1,?), ref: 010311A1
Part of subcall function 01031193: HeapAlloc.KERNEL32(00000000,?,00000000,?,01030BB1,?), ref: 010311A8
Part of subcall function 01031193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,01030BB1,?), ref: 010311B7

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: f191ae0be6679eaf95594140cd64876761de90e14391edd78a59a53da82e9900
Instruction ID: 7632634019419939cc80d93b6df0b354d9cc76cb34c90178d721eb90b6b9ebb8
Opcode Fuzzy Hash: f191ae0be6679eaf95594140cd64876761de90e14391edd78a59a53da82e9900
Instruction Fuzzy Hash: CF719D7590120AABEF20EFA8DD48BEEBBFCBF45300F044195FA94A6194D775A905CB60

Function 0104EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0106CC08), ref: 0104EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0104EB37
GetClipboardData.USER32(0000000D), ref: 0104EB43
CloseClipboard.USER32 ref: 0104EB4F
GlobalLock.KERNEL32(00000000), ref: 0104EB87
CloseClipboard.USER32 ref: 0104EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 0104EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0104EBC9
GetClipboardData.USER32(00000001), ref: 0104EBD1
GlobalLock.KERNEL32(00000000), ref: 0104EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 0104EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0104EC38
GetClipboardData.USER32(0000000F), ref: 0104EC44
GlobalLock.KERNEL32(00000000), ref: 0104EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0104EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0104EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0104ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 0104ECF3
CountClipboardFormats.USER32 ref: 0104ED14
CloseClipboard.USER32 ref: 0104ED59

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: af356c85b48413c976a48fa90e705547dd5df30db7f98e805ecb1a454da7077f
Instruction ID: dc144dbfdbe9f37e9a226ad207f2f95fd2f0d7d0f292ce05aa7a27932d7e13a5
Opcode Fuzzy Hash: af356c85b48413c976a48fa90e705547dd5df30db7f98e805ecb1a454da7077f
Instruction Fuzzy Hash: BF61E7742043019FE310EF68D984F6A7BE5BF88704F08456EF5D6872A5CB79E905CBA2

Function 0104698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 010469BE
FindClose.KERNEL32(00000000), ref: 01046A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01046A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01046A75

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 01046AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 01046ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 01046B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 01046B32
%02d, xrefs: 01046C00, 01046C0A, 01046C5A, 01046CAA, 01046CFA, 01046D4A
%4d, xrefs: 01046BB1
%03d, xrefs: 01046DA2

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: d2897cdda3c0a8ed2d6f077d6997730080498010f80e12a23759c15c75b9832f
Instruction ID: c2462a4eba1ff1fe58e52217705736c6a41ae610ff6f0fb6f58c86b3779731f6
Opcode Fuzzy Hash: d2897cdda3c0a8ed2d6f077d6997730080498010f80e12a23759c15c75b9832f
Instruction Fuzzy Hash: 56D182B1508301AFD310EBA4CC91EABB7EDAF88704F44491EF585C7291EB79DA44DB62

Function 01049642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 01049663
GetFileAttributesW.KERNEL32(?), ref: 010496A1
SetFileAttributesW.KERNEL32(?,?), ref: 010496BB
FindNextFileW.KERNEL32(00000000,?), ref: 010496D3
FindClose.KERNEL32(00000000), ref: 010496DE
FindFirstFileW.KERNEL32(*.*,?), ref: 010496FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0104974A
SetCurrentDirectoryW.KERNEL32(01096B7C), ref: 01049768
FindNextFileW.KERNEL32(00000000,00000010), ref: 01049772
FindClose.KERNEL32(00000000), ref: 0104977F
FindClose.KERNEL32(00000000), ref: 0104978F

Strings

*.*, xrefs: 010496F5

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: e7db8a943ca896582cc0f0f290626e527696af3a06519484add0e040ee69e412
Instruction ID: 112e0817df21845b71b3b9eac424a0878e539b204562aa302986fcf9e0a82482
Opcode Fuzzy Hash: e7db8a943ca896582cc0f0f290626e527696af3a06519484add0e040ee69e412
Instruction Fuzzy Hash: 2231B6715006196BEF24EEB9DD48ADF77ECAF4D224F0041B5EAD5E20A0D735D9408B14

Function 0104979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 010497BE
FindNextFileW.KERNEL32(00000000,?), ref: 01049819
FindClose.KERNEL32(00000000), ref: 01049824
FindFirstFileW.KERNEL32(*.*,?), ref: 01049840
SetCurrentDirectoryW.KERNEL32(?), ref: 01049890
SetCurrentDirectoryW.KERNEL32(01096B7C), ref: 010498AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 010498B8
FindClose.KERNEL32(00000000), ref: 010498C5
FindClose.KERNEL32(00000000), ref: 010498D5

Part of subcall function 0103DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0103DB00

Strings

*.*, xrefs: 0104983B

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 300fffc29bf62bb474ec6c112401c5cb9edea566bc8f60dde96dd2bf2f37406f
Instruction ID: 8ea3abe6c2c480cb9199e4cb4a518c3476eecbab5eb55209a7902f1bb266969a
Opcode Fuzzy Hash: 300fffc29bf62bb474ec6c112401c5cb9edea566bc8f60dde96dd2bf2f37406f
Instruction Fuzzy Hash: B831C971500619ABFF20EEBDDC849DF77AC9F49224F1041B9E9D4A2090D735D9458B20

Function 01048195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 01048257
SystemTimeToFileTime.KERNEL32(?,?), ref: 01048267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 01048273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01048310
SetCurrentDirectoryW.KERNEL32(?), ref: 01048324
SetCurrentDirectoryW.KERNEL32(?), ref: 01048356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0104838C
SetCurrentDirectoryW.KERNEL32(?), ref: 01048395

Strings

*.*, xrefs: 0104839B

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 50c228fe0ce6fb6d992c7b7460577c18d8f9591c53aa6803462a05983567cf86
Instruction ID: 89c388f2d129912c32cfb226af37599b023e3ba6269f36bcfb1e4eb5fddcac56
Opcode Fuzzy Hash: 50c228fe0ce6fb6d992c7b7460577c18d8f9591c53aa6803462a05983567cf86
Instruction Fuzzy Hash: D9616BB25043059FD710EF64C8849AEB3E9FF89310F08896EF9C997261DB35E945CB92

Function 0103D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD3A97,?,?,00FD2E7F,?,?,?,00000000), ref: 00FD3AC2

Part of subcall function 0103E199: GetFileAttributesW.KERNEL32(?,0103CF95), ref: 0103E19A

FindFirstFileW.KERNEL32(?,?), ref: 0103D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0103D1DD
MoveFileW.KERNEL32(?,?), ref: 0103D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0103D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0103D237

Part of subcall function 0103D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0103D21C,?,?), ref: 0103D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0103D253
FindClose.KERNEL32(00000000), ref: 0103D264

Strings

\*.*, xrefs: 0103D0CD, 0103D0D6, 0103D0EB

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: b34dc27b3d8c0b190049897ee193e3ee4390024ece62ea5156013a2ca5faf892
Instruction ID: cb7a299331571eeeea31f0c4053f359cb4add79073c826cd9ce061643095210b
Opcode Fuzzy Hash: b34dc27b3d8c0b190049897ee193e3ee4390024ece62ea5156013a2ca5faf892
Instruction Fuzzy Hash: 5261BF31D0510DABCF05EBE0DE929EDB7BAAF51300F6841A6E48173291EB359F09DB61

Function 0104ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0104ED91
EmptyClipboard.USER32 ref: 0104ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0104EDAC
CloseClipboard.USER32 ref: 0104EEA3

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: acc108c61bb502c0bc0e3cfc348f11cc846743caf7719085ecf126eaceb278a1
Instruction ID: babc42bac95da38c92b3c6a7831d4689abbd8c5e7e65a190700bbaa6f69c7313
Opcode Fuzzy Hash: acc108c61bb502c0bc0e3cfc348f11cc846743caf7719085ecf126eaceb278a1
Instruction Fuzzy Hash: F4418D75204611AFE721DF19D488B19BBE5FF48318F04C0A9E89A8B662C77AFC41CB90

Function 0103E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 010316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0103170D
Part of subcall function 010316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0103173A
Part of subcall function 010316C3: GetLastError.KERNEL32 ref: 0103174A

ExitWindowsEx.USER32(?,00000000), ref: 0103E932

Strings

, xrefs: 0103E95C
, xrefs: 0103E920
@, xrefs: 0103E925
SeShutdownPrivilege, xrefs: 0103E902

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: c697a9bc40abe1edfb24679dc2e8d04462e1e722006086ddf00d1c9cf9cfc56e
Instruction ID: 80ebed5fcc2eead0c79f8891104191edd3015d95d09cba3b71592ab51d7080a8
Opcode Fuzzy Hash: c697a9bc40abe1edfb24679dc2e8d04462e1e722006086ddf00d1c9cf9cfc56e
Instruction Fuzzy Hash: BE01D672610211ABFB6426B8DD85BFF729C9798750F054A23FDC2E21D1D5A55C4083A0

Function 01051204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 01051276
WSAGetLastError.WSOCK32 ref: 01051283
bind.WSOCK32(00000000,?,00000010), ref: 010512BA
WSAGetLastError.WSOCK32 ref: 010512C5
closesocket.WSOCK32(00000000), ref: 010512F4
listen.WSOCK32(00000000,00000005), ref: 01051303
WSAGetLastError.WSOCK32 ref: 0105130D
closesocket.WSOCK32(00000000), ref: 0105133C

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: cae4d2e9538f350e8f9fdc23fdcb886fddb3963f877289bc5ed0b1689bee2ed5
Instruction ID: 6bd6cf47d1d41ae6da3d8f58b29fcfd5446e1f2e5a536ac13f0bd75c587de4d4
Opcode Fuzzy Hash: cae4d2e9538f350e8f9fdc23fdcb886fddb3963f877289bc5ed0b1689bee2ed5
Instruction Fuzzy Hash: 9B41A5716001019FE760DF28C584B2ABBE6BF46314F188189D9968F397C775ED81CBE1

Function 0100B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0100B9D4
_free.LIBCMT ref: 0100B9F8
_free.LIBCMT ref: 0100BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01073700), ref: 0100BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,010A121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0100BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,010A1270,000000FF,?,0000003F,00000000,?), ref: 0100BC36
_free.LIBCMT ref: 0100BD4B

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 53f9a02e77945ac70094e2f062c8fbc61480a8da2a3ff6cc275b64eee7c8600e
Instruction ID: bc632d49a6864561bf1d4136d3285093211b28cd03e73c0ed7e9ea0bf3e9c95a
Opcode Fuzzy Hash: 53f9a02e77945ac70094e2f062c8fbc61480a8da2a3ff6cc275b64eee7c8600e
Instruction Fuzzy Hash: DEC12579904209AFFB239F6C8850BEEBBF8EF46210F1441AAD9D4D72C5EB319A41C750

Function 0103D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD3A97,?,?,00FD2E7F,?,?,?,00000000), ref: 00FD3AC2

Part of subcall function 0103E199: GetFileAttributesW.KERNEL32(?,0103CF95), ref: 0103E19A

FindFirstFileW.KERNEL32(?,?), ref: 0103D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0103D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0103D481
FindClose.KERNEL32(00000000), ref: 0103D498
FindClose.KERNEL32(00000000), ref: 0103D4A1

Strings

\*.*, xrefs: 0103D3F2

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 642066ebba6c1707c525a0e53e183fd752b39e0f8f5c97d5435ba314c550e5ce
Instruction ID: f8a2c329f6c347e5d1c3292750eedae073c95b678d16646283525312ea0b205c
Opcode Fuzzy Hash: 642066ebba6c1707c525a0e53e183fd752b39e0f8f5c97d5435ba314c550e5ce
Instruction Fuzzy Hash: 553180710083419BC311EFA4D9918EFB7EDAE91304F884A1EF4D593291EB29AA09D763

Function 0100E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0100E645

Strings

1#QNAN, xrefs: 0100F84B
1#SNAN, xrefs: 0100F844
1#INF, xrefs: 0100F852
1#IND, xrefs: 0100F83D

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 8645c4c026ade8bb86fcab9077ade6cbf3269ae5d4e726b4c2ac3319c353c8fa
Instruction ID: 01aa5b001b67852e293d4770672c739603a912062382d8945df2a8df8f19695e
Opcode Fuzzy Hash: 8645c4c026ade8bb86fcab9077ade6cbf3269ae5d4e726b4c2ac3319c353c8fa
Instruction Fuzzy Hash: 54C25B71E046298FEB76CE28DD407EAB7B5EB44304F1445EAD58DE7281E778AE818F40

Function 0104648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 010464DC
CoInitialize.OLE32(00000000), ref: 01046639
CoCreateInstance.OLE32(0106FCF8,00000000,00000001,0106FB68,?), ref: 01046650
CoUninitialize.OLE32 ref: 010468D4

Strings

.lnk, xrefs: 010464BA, 01046524, 010465E0

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 770ff7b04fa12457afd9275f8d781dc196aa5a72acb6287cc458275b8fb9dd2c
Instruction ID: a3e33251b70a73d90e4e002b2839a3dc012b42eb9f9258247a73c9c30c2a09be
Opcode Fuzzy Hash: 770ff7b04fa12457afd9275f8d781dc196aa5a72acb6287cc458275b8fb9dd2c
Instruction Fuzzy Hash: 7ED16AB1508301AFD310EF24C88196BB7E9FF89704F44496DF5958B2A1EB71E905CBA2

Function 01049B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 01049B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 01049C8B

Part of subcall function 01043874: GetInputState.USER32 ref: 010438CB
Part of subcall function 01043874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01043966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 01049BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 01049C75

Strings

*.*, xrefs: 01049B5D

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: b534d96892717337a7fb92a004027f068efdd58263be26c9114206c85ec17b51
Instruction ID: 3ed46a6230afd2151efb2499bec2f99cb6a902b37ae10ceacc6ebae57e08e29b
Opcode Fuzzy Hash: b534d96892717337a7fb92a004027f068efdd58263be26c9114206c85ec17b51
Instruction Fuzzy Hash: 6741B1B190020E9FDF54DFA4C985AEE7BF8EF09304F1440B6E985A2290EB319E44CF64

Function 00FE997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00FE9A4E
GetSysColor.USER32(0000000F), ref: 00FE9B23
SetBkColor.GDI32(?,00000000), ref: 00FE9B36

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: c9e7560634d675298f5bb6e60cc5bc140cfc63612620c679b50f42c7da806d23
Instruction ID: 50fe7357a8a512e8e93114149e42e3a1089d47edc89b2529df5cf4f490a4f851
Opcode Fuzzy Hash: c9e7560634d675298f5bb6e60cc5bc140cfc63612620c679b50f42c7da806d23
Instruction Fuzzy Hash: 35A14D7110C5A0BEF7389A3E8C48EBF3A9DEF56714F144119F182C6685CAB98D01E371

Function 01051806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0105304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0105307A
Part of subcall function 0105304E: _wcslen.LIBCMT ref: 0105309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0105185D
WSAGetLastError.WSOCK32 ref: 01051884
bind.WSOCK32(00000000,?,00000010), ref: 010518DB
WSAGetLastError.WSOCK32 ref: 010518E6
closesocket.WSOCK32(00000000), ref: 01051915

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 7fb4898a1d0427d8872c53030e9722397f912825c708b3b8d81768075b5f00c2
Instruction ID: 61f91d1e300eb151520e5d8140a8bcb67db5c724ceb241338f05f4720b2ac74d
Opcode Fuzzy Hash: 7fb4898a1d0427d8872c53030e9722397f912825c708b3b8d81768075b5f00c2
Instruction Fuzzy Hash: 9751B471A00200AFEB20EF24C886F6A77E5AB44718F088099F9459F3C7D779AD41CBE1

Function 0104CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0104CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0104CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0104C21E,00000000), ref: 0104CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0104C21E,00000000), ref: 0104CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0104C21E,00000000), ref: 0104CFF2

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 9c3b460d3da262e9c34b0a4fd54965ad5b46a7cd94e3dc6180429010c7bcf975
Instruction ID: b086ef5dfcb26dfb66ec7399bad82915cdb9e3a546caa9321f874dd2907b71ea
Opcode Fuzzy Hash: 9c3b460d3da262e9c34b0a4fd54965ad5b46a7cd94e3dc6180429010c7bcf975
Instruction Fuzzy Hash: 53317FB1601205AFFB20DFA9CAC4AAFBBF8EF14210B10447EF586D2101D739AA419B60

Function 01061C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 01061CC0
IsWindowEnabled.USER32 ref: 01061CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 01061CDB
IsIconic.USER32 ref: 01061CE9
IsZoomed.USER32 ref: 01061CF7

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 3e56b25972ef08b2e1a490719495e14bb93a715c99d24ea4261d62b07183b578
Instruction ID: ebf2981708eebd97008696d552f99e13faef89fdffe65a7c345b7ad25a8b491e
Opcode Fuzzy Hash: 3e56b25972ef08b2e1a490719495e14bb93a715c99d24ea4261d62b07183b578
Instruction Fuzzy Hash: E321A3317002055FE7609F1AC844B6E7BE9EFD9325F1980A9E8C6CB355CB76E842CB90

Function 00FD8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 01015DF0
VUUU, xrefs: 00FD843C
ERCP, xrefs: 00FD813C
VUUU, xrefs: 00FD83FA
VUUU, xrefs: 00FD83E8

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 192ba38198a8c9cb1e85ce42f9d698afb3c011f5dee5118c574f066f44e5d7c2
Instruction ID: fd783ea7e3aa4f714c8c15afa0282784ae64bfd26ab31c23cb88333f00fc1a15
Opcode Fuzzy Hash: 192ba38198a8c9cb1e85ce42f9d698afb3c011f5dee5118c574f066f44e5d7c2
Instruction Fuzzy Hash: F2A26071E0021ACBDF25CF58C8407AEB7B2BF44354F28819AE855AB389DB759D82DF50

Function 0105A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0105A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0105A6BA

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0105A79C
CloseHandle.KERNEL32(00000000), ref: 0105A7AB

Part of subcall function 00FECE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,01013303,?), ref: 00FECE8A

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 3dbaa299f28bdf1736292122c8af98e6fd3b8c7d310e4ee9d2696a808ebd111c
Instruction ID: fc991e07acde005aba084862bffa114540eb76c8dd8c06c6d3b8c0b66457e0b8
Opcode Fuzzy Hash: 3dbaa299f28bdf1736292122c8af98e6fd3b8c7d310e4ee9d2696a808ebd111c
Instruction Fuzzy Hash: 52518C71608300AFD710EF24CC85A6BBBE9FF89714F04891EF98597291EB34D904DB92

Function 0103AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7608C0D0,?,00008000), ref: 0103ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0103AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0103AC74
SendInput.USER32(00000001,?,0000001C,7608C0D0,?,00008000), ref: 0103ACC6

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 193165305aa3b43e39188de519a2615257efd2876c212a6602e79eb8c4d7d178
Instruction ID: 9dd1878bdabc5d9ed73ff7b1dc56508a41f4d07f91573ae32e669b6efcb5c30c
Opcode Fuzzy Hash: 193165305aa3b43e39188de519a2615257efd2876c212a6602e79eb8c4d7d178
Instruction Fuzzy Hash: F331E330B2461CEFFB358A6988087FE7AADABC9320F08425AE4C5D71D1C37989858B51

Function 01038298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 010382AA

Strings

|, xrefs: 010382DA
(, xrefs: 010382F0

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 9da0a11cfcb2ef5a19a8229281c690a1490722d1a19a5068cacb799fa5f901aa
Instruction ID: 3738ef1e401efcb0a3ce044447e9a183072cdbd71548fd124967628aac65165d
Opcode Fuzzy Hash: 9da0a11cfcb2ef5a19a8229281c690a1490722d1a19a5068cacb799fa5f901aa
Instruction Fuzzy Hash: 21322575A006059FDB28CF69C480A6AB7F5FF88310B15C5AEE59ADB3A1E770E941CB40

Function 01045C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 01045CC1
FindNextFileW.KERNEL32(00000000,?), ref: 01045D17
FindClose.KERNEL32(?), ref: 01045D5F

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 222da53e3652d13f08167ee608f13c707b80f5fee1720974fa7c4fe7e6a09afd
Instruction ID: 449fb7bc8f65adadd29aafe9ee658e15228dae67a86d2c9f4ba653a94ccad7e9
Opcode Fuzzy Hash: 222da53e3652d13f08167ee608f13c707b80f5fee1720974fa7c4fe7e6a09afd
Instruction Fuzzy Hash: F151AD746046019FD724DF28C8D4A9AB7E4FF49314F1485AEE99A8B3A2CB34E905CB91

Function 01002622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0100271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01002724
UnhandledExceptionFilter.KERNEL32(?), ref: 01002731

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 68c5080cd64def85ba0612e18e2e0994427c7958af4e46bce5ace890e79fdb7b
Instruction ID: e92bec0c1fb3faf21c503902753ac48cea94c07c993f014aafdfa27a68dd1101
Opcode Fuzzy Hash: 68c5080cd64def85ba0612e18e2e0994427c7958af4e46bce5ace890e79fdb7b
Instruction Fuzzy Hash: 9B31D67491122C9BDB61DF68DD887DCBBB8BF08310F5041EAE94CA7261EB749B818F44

Function 010451CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 010451DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 01045238
SetErrorMode.KERNEL32(00000000), ref: 010452A1

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: ec2eae5b0fab865c891787b37efc1c73b83e8fe76f3affd69aca3efbb8fe6423
Instruction ID: 5ed4d6fe5819f208ea5802754aca3d7c655328ab165b85b238b606712e0ee09a
Opcode Fuzzy Hash: ec2eae5b0fab865c891787b37efc1c73b83e8fe76f3affd69aca3efbb8fe6423
Instruction Fuzzy Hash: 18316B75A00109DFDB00DF94D884EADBBB5FF49314F08809AE845AB356DB36E845CBA0

Function 010316C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00FEFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00FF0668
Part of subcall function 00FEFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00FF0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0103170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0103173A
GetLastError.KERNEL32 ref: 0103174A

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: a6dc6531db6e888ac194d433fd300dc501bf96df8d35c6b7b379553d812ce456
Instruction ID: f964b78c303dbee9335a1beda1e03718c44e122da94b89684b45e6fe405e8af9
Opcode Fuzzy Hash: a6dc6531db6e888ac194d433fd300dc501bf96df8d35c6b7b379553d812ce456
Instruction Fuzzy Hash: 4211C1B2404305AFE7289F54DC86D6ABBFDFB48754B24852EF09653241EB75BC428B20

Function 0103D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0103D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0103D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0103D650

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 4bd35dd99f60740a3a61c32ba26c9daf40a86caffeb58cbf74624a028db5296f
Instruction ID: 8d801ab79489189a67e4651672e8530663e5453eae8e1d0a26dfcc5e7899954f
Opcode Fuzzy Hash: 4bd35dd99f60740a3a61c32ba26c9daf40a86caffeb58cbf74624a028db5296f
Instruction Fuzzy Hash: 59118E71E01228BFEB208F99DC44FAFBFBCEB89B50F108151F954E7290C2704A058BA1

Function 01031663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0103168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 010316A1
FreeSid.ADVAPI32(?), ref: 010316B1

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 6685a54fedf5f2e0fd73911b7d918dd6e068f3e98fa515b8ef98c9572a659bec
Instruction ID: d282448011c609ac5500226286ed6c9a9df300e199acfe9ba5d70c70ea3946fe
Opcode Fuzzy Hash: 6685a54fedf5f2e0fd73911b7d918dd6e068f3e98fa515b8ef98c9572a659bec
Instruction Fuzzy Hash: 34F0177195030DBBEF00DFE4DA89EAEBBBCFB08604F5045A5F541E2181E775AA449B50

Function 00FF4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(010028E9,?,00FF4CBE,010028E9,010988B8,0000000C,00FF4E15,010028E9,00000002,00000000,?,010028E9), ref: 00FF4D09
TerminateProcess.KERNEL32(00000000,?,00FF4CBE,010028E9,010988B8,0000000C,00FF4E15,010028E9,00000002,00000000,?,010028E9), ref: 00FF4D10
ExitProcess.KERNEL32 ref: 00FF4D22

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3d583b95afa7975b521004411a0061bb8632b6ec4b028626c8c94a5c0039d040
Instruction ID: dd3bd8d5f315e177d6ac8e20d6974adf0ad38c3c727fa31433ea9090adfb0977
Opcode Fuzzy Hash: 3d583b95afa7975b521004411a0061bb8632b6ec4b028626c8c94a5c0039d040
Instruction Fuzzy Hash: E4E0BF31400149AFEF216F54DE09A593F69FF45751F104014FD958A236DB3AED41DB40

Function 0100C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0100C36C

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 83ba5d2665343ae371178fef34838bd6be2ca7a2044378926fb32271fa127bfb
Instruction ID: 524ee4fbb62a5ccba80d139463b8f1b217860b695c3eabb46c1c5b33e68403b0
Opcode Fuzzy Hash: 83ba5d2665343ae371178fef34838bd6be2ca7a2044378926fb32271fa127bfb
Instruction Fuzzy Hash: 15412872900219ABFB219FB9DD48EBB77B8EB84314F1042E9F945D71C0E6719E418B50

Function 0102D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0102D28C

Strings

X64, xrefs: 0102D2A8

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 5f94aea65c0b685a248f10e8288d9915435c0d418f71aaff50318ace63582436
Instruction ID: 59a85cd1df27af151765ae17e854bbb383f90df89072e7b44d204ffd8565e3d5
Opcode Fuzzy Hash: 5f94aea65c0b685a248f10e8288d9915435c0d418f71aaff50318ace63582436
Instruction Fuzzy Hash: E9D0C9B580112DEADB90CA90D888DDDB37CBB15305F000151F146A2000D73495488F20

Function 00FFCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 4ccd1399953d85e68ea14bdf8b2d6f38a22597120b58525ae0aca02e08702fef
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 28023D72E0012D9BDF14CFA9C9806ADFBF1EF88324F254169DA19E7394D731A941DB90

Function 010468EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 01046918
FindClose.KERNEL32(00000000), ref: 01046961

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 33f6bc739d6e0e6040e88bd3cf443cc8c522db5d483faa0318e622abebe544f5
Instruction ID: bf955dceeef3292fb1fcfb25510a8fff74e69a5a633faee7a4625c2f320c9eb8
Opcode Fuzzy Hash: 33f6bc739d6e0e6040e88bd3cf443cc8c522db5d483faa0318e622abebe544f5
Instruction Fuzzy Hash: 9311D3756042019FD710DF29D4C4A16BBE5FF85328F08C6A9E8A98F3A2D775EC05CB91

Function 010437B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,01054891,?,?,00000035,?), ref: 010437E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,01054891,?,?,00000035,?), ref: 010437F4

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 86c2e27cee6cfdecd89f24863a318f6c7161f90904989d33d39595d166f991c1
Instruction ID: 37e316932e0f150dfc82f71920b8bb106174abebf1a071f8fdeb886f7b6a3530
Opcode Fuzzy Hash: 86c2e27cee6cfdecd89f24863a318f6c7161f90904989d33d39595d166f991c1
Instruction Fuzzy Hash: 53F0E5B06052392BE77056B68C8DFEB3AAEFFC4761F0001B5F589D2285D9609904C7B0

Function 0103B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0103B25D
keybd_event.USER32(?,7608C0D0,?,00000000), ref: 0103B270

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 58e7e495833f451f595b6e69007f24fa3fbd01c813750e9a5f15e952e3591158
Instruction ID: 109d915899253d661e65cb9c25f1823e78611c1380bbf9237e9071a817a73bc7
Opcode Fuzzy Hash: 58e7e495833f451f595b6e69007f24fa3fbd01c813750e9a5f15e952e3591158
Instruction Fuzzy Hash: 4BF01D7180428DABEB159FA5C806BAE7FB4FF04309F00804AF9A5A5192C77D82119F94

Function 010310BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,010311FC), ref: 010310D4
CloseHandle.KERNEL32(?,?,010311FC), ref: 010310E9

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: ff5116fb3551957c23380a2b391b0367c5e67823fe34866f20382d60e43a882c
Instruction ID: 30ede0a4d6451eaf9f9fec9155c1929e1377e5ca66c3c1f399178656af0fa2bb
Opcode Fuzzy Hash: ff5116fb3551957c23380a2b391b0367c5e67823fe34866f20382d60e43a882c
Instruction Fuzzy Hash: 6BE04F32008650AEF7352B12FC05E777BE9EB04310B10882EF5E5804B5DB666C90EB10

Function 00FDCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 01020C40

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: e8c4bf027bb8906349af28dde1ae0afafceeb36353b6c610ab0776320ba2401e
Instruction ID: 4a5577ef427f9febae2b49f1e80bb5e10da1266156668357bba5ea86bbf3da2f
Opcode Fuzzy Hash: e8c4bf027bb8906349af28dde1ae0afafceeb36353b6c610ab0776320ba2401e
Instruction Fuzzy Hash: EF32AE71900219DBDF14DF94CC80BEDB7B6FF04304F18809AE846AB396D775AA45EBA0

Function 0100676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,01006766,?,?,00000008,?,?,0100FEFE,00000000), ref: 01006998

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: c97c5bbbb96ba30ff39b352161982393451a679cf4c731aebb2414e4727daaab
Instruction ID: 99526bc5fcd4f79117a5c95f39e5193694568e23f0510e5416f9ba47d5fcf900
Opcode Fuzzy Hash: c97c5bbbb96ba30ff39b352161982393451a679cf4c731aebb2414e4727daaab
Instruction Fuzzy Hash: 84B127715106088FE756CF28C486BA57BE1FB45364F258698E9D9CF2E2C336DAA1CB40

Function 00FEB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0102851F

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 71776bdce07a31d2ea9ba8e4498756646a99d2076ecad04391e8e292dd1b230f
Instruction ID: 7db1adb3b5331bb495decdfa863fe0bc1e92d8dd02ec9553e9aa346f8f2e8c75
Opcode Fuzzy Hash: 71776bdce07a31d2ea9ba8e4498756646a99d2076ecad04391e8e292dd1b230f
Instruction Fuzzy Hash: C1126D75E002299FDB64CF59C8807EEB7F5FF48310F1481AAE849EB255E7349A81DB90

Function 0104EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0104EABD

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 54025ea59407de34651efe8f09bfcdfb05e8182cc7e32413509749a45a110a39
Instruction ID: 4d1aac7f34563379c58b5edebf32929b05adc75eea9791c17a8f02b0563446dc
Opcode Fuzzy Hash: 54025ea59407de34651efe8f09bfcdfb05e8182cc7e32413509749a45a110a39
Instruction Fuzzy Hash: 5CE01A752002059FD710EF59D844E9AB7E9BF98760F048426FD89C7361DA78B8408BA0

Function 0103E355 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 0103E37E

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: bea9f07d9111ced970e9fef2ae11e3f770ce8fed831e919e95e78262694d6245
Instruction ID: f5bb6715def672c96469aac6b50a97fd8419349b1a6def3e97f7b910dbfd277d
Opcode Fuzzy Hash: bea9f07d9111ced970e9fef2ae11e3f770ce8fed831e919e95e78262694d6245
Instruction Fuzzy Hash: 71D05EF21902017DFABD0A3CCE2FF7A298CE381580F40D789B2C189599DA91A4444021

Function 00FF09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00FF03EE), ref: 00FF09DA

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ba17940a342e1df17bcee826ae40dc776b804be279516fb59e6b21fe1a91d5d6
Instruction ID: 1f02813f8fd5385b5077cc27e466e65b2bec5508b0c3db8b4cf9d54d2827a163
Opcode Fuzzy Hash: ba17940a342e1df17bcee826ae40dc776b804be279516fb59e6b21fe1a91d5d6
Instruction Fuzzy Hash:

Function 00FF781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00FF798B

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 5544599811cfa79770dc1e8201303a8d8bad75a87c85acc80163a15476ae8a42
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: DB514862E0C70D56DB38796888997BFE3959F123E0F280509DB82C72B2C659DE06F355

Function 01006DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a2e3f57e5c1641b8acfce6e048a3178e8d20b868e7bfa4eb4b9f88fc87ae372
Instruction ID: 24b8b2a91277d4fcbdafa379be8684007cdff0da658c5e8c0854939043b5d9c9
Opcode Fuzzy Hash: 1a2e3f57e5c1641b8acfce6e048a3178e8d20b868e7bfa4eb4b9f88fc87ae372
Instruction Fuzzy Hash: 5C323431D29F414DE7639538C822335B689AFB73C5F15C737E89AB599AEB2ED4834200

Function 00FECC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a607b19cbd2964af8c784064f45735b2c5a98ba77ab0c8923dcec083d23ef3
Instruction ID: 70b038e4bef0bc05348cef1d8273fb8f30093a7e613815df0eacb75598c94ab8
Opcode Fuzzy Hash: 72a607b19cbd2964af8c784064f45735b2c5a98ba77ab0c8923dcec083d23ef3
Instruction Fuzzy Hash: 2C321A31A001E58BFF34CE2DC694A7D7BE1FB45314F2881A6E6D9DB291D234D982DB41

Function 00FD7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 150094402b49b5690bd2ce38aac514ba0202cd7a85836e758bda3a2002ec1b3d
Instruction ID: 317fde71dcc11131a820f6772c7c8e0207fac548c400601210bd9a2ae7617dbd
Opcode Fuzzy Hash: 150094402b49b5690bd2ce38aac514ba0202cd7a85836e758bda3a2002ec1b3d
Instruction Fuzzy Hash: A622C270A042099FDF14DF64DC41AAEB7F6FF85300F14462AE852AB395EB3AA914DB50

Function 00FD91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebdaf6690048e6772ce27a77c6b6c80ad66965ff38fb9f11b055f5543101a4d0
Instruction ID: 0faa497818f2ef4ab7d635ebafa68bba130f5ed522d46faccb1d57dcc2515940
Opcode Fuzzy Hash: ebdaf6690048e6772ce27a77c6b6c80ad66965ff38fb9f11b055f5543101a4d0
Instruction Fuzzy Hash: A70208B1E00209EBDB05DF64DC81AAEBBB1FF44300F548165E846DB395EB79E910DB90

Function 00FF1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: f2098679692de4a8190f33a787f3f96a71c518a4a0d481fe43ea04d2bc8a21d6
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: D4918733A080A78ADB29463A857417EFFF16E923B131A079DD5F2CA1E5FE10D954F620

Function 00FF19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: f6a8aaabbb977991276218e8b1d81ed9c15d4a5e06c0fdbae832a9987a5e9524
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: A89143726090A789DB29467A857403EFFE16E923B131A079DD5F2CA1E1FD14C564B620

Function 00FF7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9709589cb8283b9647f1568d198ae612a879dc13ef1dee5fe304c155cce2aa3
Instruction ID: dc02e6e86b2565d12a880328d41a5d04ab8587fe5a3cbf09d84c374eedb58cfd
Opcode Fuzzy Hash: c9709589cb8283b9647f1568d198ae612a879dc13ef1dee5fe304c155cce2aa3
Instruction Fuzzy Hash: 1C618B32A0C70D96EA34792C8C95BBEF394DF82364F100959EB42CB2B5D9599E43F315

Function 00FF7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11553f0c69f3b7b1bc255ed1dddd193d7fbcf316b7b9f37a820e80550faccee2
Instruction ID: dc47338a7b956606dc2dd45e7da18ba914708ae38f93af1ad1c4332aa14c5062
Opcode Fuzzy Hash: 11553f0c69f3b7b1bc255ed1dddd193d7fbcf316b7b9f37a820e80550faccee2
Instruction Fuzzy Hash: 87619A32E0870D52DE3879285C91BBFF388DF42764F90085AEB42DB2B1DA56AD42F315

Function 00FF1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 90993b1cc7899954c10c90672605173a2062aa95cfd0c6962a9596a3e2b8d29c
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 98818533A080A789EB2D423A857403EFFE17E923B131A079DD5F6CB1E1EE649554F660

Function 01303610 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1528063262.0000000001300000.00000040.00001000.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1300000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 0c1666bf5424d3f6b2a1484f4f3ac45a3ad1a78b5c120a8aa01850e40fefc53c
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 5241C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB40

Function 01042046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c95f7cf2df7b625a7b0573be3ced746f1f61936de28eeccd6f9f451b6549263
Instruction ID: 4f67654b7a043678e26b65c3e2c5e2f829bae330111f77e0e1c4c20638664efc
Opcode Fuzzy Hash: 7c95f7cf2df7b625a7b0573be3ced746f1f61936de28eeccd6f9f451b6549263
Instruction Fuzzy Hash: 7221D5723216158BD728CE79C82267A73E5A754210F54863EF4E7C77C1DE3AA904CB80

Function 013034A0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1528063262.0000000001300000.00000040.00001000.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1300000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: a84bc155cd3ff20e3d162d1c9574f2c5b6e80e0760807b9788a097b03f70cf23
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 7A01A478A05109EFCB49DF98C5909AEF7F5FF48314F208599D819AB741D730AE41DB80

Function 01303500 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1528063262.0000000001300000.00000040.00001000.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1300000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 2546767ca829a554f1dd9643f44a4a11f2d871f82368897c5a4a8716fae3ad03
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: EE01A478A04109EFCB49DF98C5909AEF7F5FF48314F208599D819A7741E731AE41DB80

Function 01301E70 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1528063262.0000000001300000.00000040.00001000.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1300000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 01052ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01052B30
DeleteObject.GDI32(00000000), ref: 01052B43
DestroyWindow.USER32 ref: 01052B52
GetDesktopWindow.USER32 ref: 01052B6D
GetWindowRect.USER32(00000000), ref: 01052B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 01052CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 01052CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052CF8
GetClientRect.USER32(00000000,?), ref: 01052D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01052D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052DA8
GlobalFree.KERNEL32(00000000), ref: 01052DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0106FC38,00000000), ref: 01052DDB
GlobalFree.KERNEL32(00000000), ref: 01052DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 01052E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 01052E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0105303F

Strings

, xrefs: 01052FC5
AutoIt v3, xrefs: 01052CF2
DISPLAY, xrefs: 01052EA2
static, xrefs: 01052D3A, 01052E91

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b298e345b099385fc7e3b7562d9cdc17a4e6a52c2a00a8c74cca2ae9e3550d9f
Instruction ID: 9b77dd510a6a82686d86d67bb73d1fa96cca34699dccd04ebc3eaefa7b5c80cf
Opcode Fuzzy Hash: b298e345b099385fc7e3b7562d9cdc17a4e6a52c2a00a8c74cca2ae9e3550d9f
Instruction Fuzzy Hash: 75028E71500205EFEB24DF64DD89EAE7BB9FF48310F048159F995AB2A5C779AD00CB60

Function 010670D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0106712F
GetSysColorBrush.USER32(0000000F), ref: 01067160
GetSysColor.USER32(0000000F), ref: 0106716C
SetBkColor.GDI32(?,000000FF), ref: 01067186
SelectObject.GDI32(?,?), ref: 01067195
InflateRect.USER32(?,000000FF,000000FF), ref: 010671C0
GetSysColor.USER32(00000010), ref: 010671C8
CreateSolidBrush.GDI32(00000000), ref: 010671CF
FrameRect.USER32(?,?,00000000), ref: 010671DE
DeleteObject.GDI32(00000000), ref: 010671E5
InflateRect.USER32(?,000000FE,000000FE), ref: 01067230
FillRect.USER32(?,?,?), ref: 01067262
GetWindowLongW.USER32(?,000000F0), ref: 01067284

Part of subcall function 010673E8: GetSysColor.USER32(00000012), ref: 01067421
Part of subcall function 010673E8: SetTextColor.GDI32(?,?), ref: 01067425
Part of subcall function 010673E8: GetSysColorBrush.USER32(0000000F), ref: 0106743B
Part of subcall function 010673E8: GetSysColor.USER32(0000000F), ref: 01067446
Part of subcall function 010673E8: GetSysColor.USER32(00000011), ref: 01067463
Part of subcall function 010673E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 01067471
Part of subcall function 010673E8: SelectObject.GDI32(?,00000000), ref: 01067482
Part of subcall function 010673E8: SetBkColor.GDI32(?,00000000), ref: 0106748B
Part of subcall function 010673E8: SelectObject.GDI32(?,?), ref: 01067498
Part of subcall function 010673E8: InflateRect.USER32(?,000000FF,000000FF), ref: 010674B7
Part of subcall function 010673E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010674CE
Part of subcall function 010673E8: GetWindowLongW.USER32(00000000,000000F0), ref: 010674DB

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 3274ccb62fdb3fb081171bcdd4ca6fb856877e26d7d385f2614ade840b080060
Instruction ID: 8da13c21c10b3f6e4d728019516f6136fe5dcbbb2e1b427b7f13b812474e4751
Opcode Fuzzy Hash: 3274ccb62fdb3fb081171bcdd4ca6fb856877e26d7d385f2614ade840b080060
Instruction Fuzzy Hash: 3EA18072008301EFE7219F64DD48A5B7BE9FB49324F100A19FAE2961E4D77AD944CB51

Function 00FE8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00FE8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 01026AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 01026AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 01026F43

Part of subcall function 00FE8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FE8BE8,?,00000000,?,?,?,?,00FE8BBA,00000000,?), ref: 00FE8FC5

SendMessageW.USER32(?,00001053), ref: 01026F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 01026F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 01026FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 01026FB7

Strings

0, xrefs: 01026DCF

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: ab4f3fedc18391296773d8f8d45b0fc9016b28a71bf6f8926ae9ba1ed94eb7ed
Instruction ID: 21859283a6d864f675cad6f2e71377f5ca167c457d49190ab5b78ce7b56a31cb
Opcode Fuzzy Hash: ab4f3fedc18391296773d8f8d45b0fc9016b28a71bf6f8926ae9ba1ed94eb7ed
Instruction Fuzzy Hash: 2012E130500261EFEB65EF18C944BAABBE5FF44300F5440A9F9D98B251CB37E892DB91

Function 01052711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0105273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0105286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 010528A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 010528B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 01052900
GetClientRect.USER32(00000000,?), ref: 0105290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 01052955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 01052964
GetStockObject.GDI32(00000011), ref: 01052974
SelectObject.GDI32(00000000,00000000), ref: 01052978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 01052988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01052991
DeleteDC.GDI32(00000000), ref: 0105299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 010529C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 010529DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 01052A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 01052A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 01052A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 01052A77
GetStockObject.GDI32(00000011), ref: 01052A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 01052A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 01052A97

Strings

AutoIt v3, xrefs: 010528F8
msctls_progress32, xrefs: 01052A13
DISPLAY, xrefs: 0105295A
static, xrefs: 0105294F, 01052A71

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 012b8629689e56df49f105a73240deaabfec823fb1038365e50160bad4d3f2ac
Instruction ID: b0cabe63f3f54d8e32ccda6f9547ad5010c9e16992c3cb2e97d3c8536ea89e44
Opcode Fuzzy Hash: 012b8629689e56df49f105a73240deaabfec823fb1038365e50160bad4d3f2ac
Instruction Fuzzy Hash: F2B16EB2A00215AFEB24DFA8DD45FAF7BA9EF08710F048155F994EB290D779AD40CB50

Function 01044ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 01044AED
GetDriveTypeW.KERNEL32(?,0106CB68,?,\\.\,0106CC08), ref: 01044BCA
SetErrorMode.KERNEL32(00000000,0106CB68,?,\\.\,0106CC08), ref: 01044D36

Strings

Unknown, xrefs: 01044BED, 01044C83
Network, xrefs: 01044C02
SATA, xrefs: 01044CD0
SAS, xrefs: 01044CC9
Removable, xrefs: 01044C10, 01044C15
SSD, xrefs: 01044C4A
RAID, xrefs: 01044CBB
ATAPI, xrefs: 01044C91
MMC, xrefs: 01044CDE
FileBackedVirtual, xrefs: 01044CEC
\\.\, xrefs: 01044B3F
iSCSI, xrefs: 01044CC2
USB, xrefs: 01044CB4
1394, xrefs: 01044C9F
ATA, xrefs: 01044C98
Fibre, xrefs: 01044CAD
CDROM, xrefs: 01044BFB
RAMDisk, xrefs: 01044BF4
SSA, xrefs: 01044CA6
PhysicalDrive, xrefs: 01044B76
SCSI, xrefs: 01044C8A
Virtual, xrefs: 01044CE5
Fixed, xrefs: 01044C09

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 9cb6fb7bcf4f2bf0d15c6d93913defd8969c43befe488502580df0044ee9a344
Instruction ID: cfaef0f1c7f03ea917a6479f34bb3816c143fe7d9ceacac0f51f1a388583ad93
Opcode Fuzzy Hash: 9cb6fb7bcf4f2bf0d15c6d93913defd8969c43befe488502580df0044ee9a344
Instruction Fuzzy Hash: FF61D5B0A0410ADBCF44EF68CAD1A7C77E2AB04241B18406AF8D6EF251DB76DD85EB45

Function 010673E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 01067421
SetTextColor.GDI32(?,?), ref: 01067425
GetSysColorBrush.USER32(0000000F), ref: 0106743B
GetSysColor.USER32(0000000F), ref: 01067446
CreateSolidBrush.GDI32(?), ref: 0106744B
GetSysColor.USER32(00000011), ref: 01067463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 01067471
SelectObject.GDI32(?,00000000), ref: 01067482
SetBkColor.GDI32(?,00000000), ref: 0106748B
SelectObject.GDI32(?,?), ref: 01067498
InflateRect.USER32(?,000000FF,000000FF), ref: 010674B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010674CE
GetWindowLongW.USER32(00000000,000000F0), ref: 010674DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0106752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 01067554
InflateRect.USER32(?,000000FD,000000FD), ref: 01067572
DrawFocusRect.USER32(?,?), ref: 0106757D
GetSysColor.USER32(00000011), ref: 0106758E
SetTextColor.GDI32(?,00000000), ref: 01067596
DrawTextW.USER32(?,010670F5,000000FF,?,00000000), ref: 010675A8
SelectObject.GDI32(?,?), ref: 010675BF
DeleteObject.GDI32(?), ref: 010675CA
SelectObject.GDI32(?,?), ref: 010675D0
DeleteObject.GDI32(?), ref: 010675D5
SetTextColor.GDI32(?,?), ref: 010675DB
SetBkColor.GDI32(?,?), ref: 010675E5

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 6797531cf864297f40b6bd428f600add14b3c792b442573f37c94afa19c79ca0
Instruction ID: 8e78d7ad5342581a897270f0432aa8f6843bdaaab09612780098533d301358aa
Opcode Fuzzy Hash: 6797531cf864297f40b6bd428f600add14b3c792b442573f37c94afa19c79ca0
Instruction Fuzzy Hash: A7618172900218AFEF119FA4DD48EEE7FB9EF09320F104151FA91AB2A1D7799940CF90

Function 01060FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 01061128
GetDesktopWindow.USER32 ref: 0106113D
GetWindowRect.USER32(00000000), ref: 01061144
GetWindowLongW.USER32(?,000000F0), ref: 01061199
DestroyWindow.USER32(?), ref: 010611B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 010611ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0106120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0106121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 01061232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 01061245
IsWindowVisible.USER32(00000000), ref: 010612A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 010612BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 010612D0
GetWindowRect.USER32(00000000,?), ref: 010612E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0106130E
GetMonitorInfoW.USER32(00000000,?), ref: 01061328
CopyRect.USER32(?,?), ref: 0106133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 010613AA

Strings

0, xrefs: 010610D3
tooltips_class32, xrefs: 010611E6
(, xrefs: 0106131B

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 69baf75ee4878a0067be2de018a4ee51aeb96b612f08853d38c5a71045a34dc8
Instruction ID: d6cac30011fa5b3781491f003455b88b33fa9e297ab5b86eb59f99e050780ed8
Opcode Fuzzy Hash: 69baf75ee4878a0067be2de018a4ee51aeb96b612f08853d38c5a71045a34dc8
Instruction Fuzzy Hash: F7B1AE71604341AFE750DF64C984B6ABBE9FF88310F048919F9D99B261C775E804CB91

Function 01060241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010602E5
_wcslen.LIBCMT ref: 0106031F
_wcslen.LIBCMT ref: 01060389
_wcslen.LIBCMT ref: 010603F1
_wcslen.LIBCMT ref: 01060475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 010604C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01060504

Part of subcall function 00FEF9F2: _wcslen.LIBCMT ref: 00FEF9FD

Part of subcall function 0103223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01032258
Part of subcall function 0103223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0103228A

Strings

GETSELECTEDCOUNT, xrefs: 01060470, 0106048B
SELECTINVERT, xrefs: 0106057E
GETITEMCOUNT, xrefs: 01060316, 01060337
VIEWCHANGE, xrefs: 01060675
SELECT, xrefs: 01060548
DESELECT, xrefs: 0106059C
SELECTALL, xrefs: 01060515
FINDITEM, xrefs: 01060627
GETTEXT, xrefs: 010603EC, 01060407
GETSUBITEMCOUNT, xrefs: 01060384, 0106039F
GETSELECTED, xrefs: 010605E1
ISSELECTED, xrefs: 010604DD
SELECTCLEAR, xrefs: 0106052D

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 03149422caeb50688d55b9c89416bce381f9dc2a9f75a7a0cebacd6b1c248991
Instruction ID: 847077ee51822df20cdf0df127a12e3f7135d37732e26d49e1a9049acdcab4f2
Opcode Fuzzy Hash: 03149422caeb50688d55b9c89416bce381f9dc2a9f75a7a0cebacd6b1c248991
Instruction Fuzzy Hash: 23E1C1322542418FCB14DF28C85093EB7EABF88314B14899DF8D69B3AADB34ED45CB41

Function 00FE8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FE8968
GetSystemMetrics.USER32(00000007), ref: 00FE8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FE899B
GetSystemMetrics.USER32(00000008), ref: 00FE89A3
GetSystemMetrics.USER32(00000004), ref: 00FE89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FE89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00FE89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FE8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FE8A3C
GetClientRect.USER32(00000000,000000FF), ref: 00FE8A5A
GetStockObject.GDI32(00000011), ref: 00FE8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FE8A81

Part of subcall function 00FE912D: GetCursorPos.USER32(?), ref: 00FE9141
Part of subcall function 00FE912D: ScreenToClient.USER32(00000000,?), ref: 00FE915E
Part of subcall function 00FE912D: GetAsyncKeyState.USER32(00000001), ref: 00FE9183
Part of subcall function 00FE912D: GetAsyncKeyState.USER32(00000002), ref: 00FE919D

SetTimer.USER32(00000000,00000000,00000028,00FE90FC), ref: 00FE8AA8

Strings

AutoIt v3 GUI, xrefs: 00FE8A20

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 41591dc252b8f99cbf291be572749b02313d5a5241040665d5b18419ee7e8c19
Instruction ID: 41490ee076fb3da37e1ba7acbfe40458069257e9faec2b6a7bd32e07b6e2ca8d
Opcode Fuzzy Hash: 41591dc252b8f99cbf291be572749b02313d5a5241040665d5b18419ee7e8c19
Instruction Fuzzy Hash: E6B1A075A0024AAFDF14DFA8DD45BAE3BB4FB48310F004229FA95A7294DB79D941CF50

Function 01030D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 010310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01031114
Part of subcall function 010310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031120
Part of subcall function 010310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 0103112F
Part of subcall function 010310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031136
Part of subcall function 010310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0103114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01030DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01030E29
GetLengthSid.ADVAPI32(?), ref: 01030E40
GetAce.ADVAPI32(?,00000000,?), ref: 01030E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01030E96
GetLengthSid.ADVAPI32(?), ref: 01030EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 01030EB5
HeapAlloc.KERNEL32(00000000), ref: 01030EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 01030EDD
CopySid.ADVAPI32(00000000), ref: 01030EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01030F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01030F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 01030F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030F6E
HeapFree.KERNEL32(00000000), ref: 01030F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030F7E
HeapFree.KERNEL32(00000000), ref: 01030F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030F8E
HeapFree.KERNEL32(00000000), ref: 01030F95
GetProcessHeap.KERNEL32(00000000,?), ref: 01030FA1
HeapFree.KERNEL32(00000000), ref: 01030FA8

Part of subcall function 01031193: GetProcessHeap.KERNEL32(00000008,01030BB1,?,00000000,?,01030BB1,?), ref: 010311A1
Part of subcall function 01031193: HeapAlloc.KERNEL32(00000000,?,00000000,?,01030BB1,?), ref: 010311A8
Part of subcall function 01031193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,01030BB1,?), ref: 010311B7

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 702ca66c9a2a8f01bc8cae3c0c93fcf803ec147bf6671a5ca34ff184eb63c867
Instruction ID: ac70894b7f71885295e8db43a5edd818989a79e8ed9ba1056220e8e878cfd0f2
Opcode Fuzzy Hash: 702ca66c9a2a8f01bc8cae3c0c93fcf803ec147bf6671a5ca34ff184eb63c867
Instruction Fuzzy Hash: 94717D7290120AAFEF209FA8DD44FEEBBBCBF46300F044155FA99E6194D7359905CB60

Function 0105C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0105C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0106CC08,00000000,?,00000000,?,?), ref: 0105C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0105C5A4
_wcslen.LIBCMT ref: 0105C5F4
_wcslen.LIBCMT ref: 0105C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0105C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0105C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0105C84D
RegCloseKey.ADVAPI32(?), ref: 0105C881
RegCloseKey.ADVAPI32(00000000), ref: 0105C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0105C960

Strings

REG_BINARY, xrefs: 0105C913
REG_DWORD, xrefs: 0105C804
REG_EXPAND_SZ, xrefs: 0105C5CD
REG_MULTI_SZ, xrefs: 0105C6F5
REG_QWORD, xrefs: 0105C8C3
REG_SZ, xrefs: 0105C644

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 09c6c067622caf40bf0a685eae86ff78870a69f4461368e0e284fa43146d520f
Instruction ID: 59057bb9cb61483ffeb1a057f444c47820baa0703fec2e80c740737b15a4a1c5
Opcode Fuzzy Hash: 09c6c067622caf40bf0a685eae86ff78870a69f4461368e0e284fa43146d520f
Instruction Fuzzy Hash: 58125C356043019FE754DF18C981B2AB7E5EF88714F08889DF98A9B3A2DB35ED41DB81

Function 0106091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010609C6
_wcslen.LIBCMT ref: 01060A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01060A54
_wcslen.LIBCMT ref: 01060A8A
_wcslen.LIBCMT ref: 01060B06
_wcslen.LIBCMT ref: 01060B81

Part of subcall function 00FEF9F2: _wcslen.LIBCMT ref: 00FEF9FD

Part of subcall function 01032BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 01032BFA

Strings

ISCHECKED, xrefs: 01060CE1
GETTOTALCOUNT, xrefs: 010609F2, 01060A17
EXISTS, xrefs: 01060B7C, 01060B97
UNCHECK, xrefs: 01060D3E
GETITEMCOUNT, xrefs: 01060C1E
GETTEXT, xrefs: 01060C97
EXPAND, xrefs: 01060BF8
CHECK, xrefs: 01060A85, 01060AA0
GETSELECTED, xrefs: 01060C4E
COLLAPSE, xrefs: 01060B01, 01060B1C
SELECT, xrefs: 01060D11

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 20da5db7dd9c3565ff92320b3d7dc691928e7c7ba8647c1575e3d53f94252eb4
Instruction ID: a0a25b00d1f9e5556df84346574735ccf133f36db106403c23cebda246eae950
Opcode Fuzzy Hash: 20da5db7dd9c3565ff92320b3d7dc691928e7c7ba8647c1575e3d53f94252eb4
Instruction Fuzzy Hash: 54E1AF322483018FCB14EF29C85096EB7E6BF98354B048A9DF8D69B366D735ED45CB81

Function 0105C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0105B6AE,?,?), ref: 0105C9B5
_wcslen.LIBCMT ref: 0105C9F1
_wcslen.LIBCMT ref: 0105CA68
_wcslen.LIBCMT ref: 0105CA9E
_wcslen.LIBCMT ref: 0105CAF9
_wcslen.LIBCMT ref: 0105CB2F
_wcslen.LIBCMT ref: 0105CB7F

Strings

HKEY_CLASSES_ROOT, xrefs: 0105CAF3, 0105CAF8
HKEY_LOCAL_MACHINE, xrefs: 0105CA62, 0105CA67
HKCR, xrefs: 0105CB29, 0105CB2E
HKCC, xrefs: 0105CBAC
HKCU, xrefs: 0105CBCE
HKEY_USERS, xrefs: 0105CBDF
HKEY_CURRENT_CONFIG, xrefs: 0105CB79, 0105CB7E
HKU, xrefs: 0105CBF0
HKLM, xrefs: 0105CA98, 0105CA9D
HKEY_CURRENT_USER, xrefs: 0105CBBD

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 1c6bb14ccbd5e4042b39d3dde9fab7c3a8aae7d6cb4af9f7c7dc04268749db2d
Instruction ID: 1fb0249d2e73d02096c703647264d4d3a506943e1761f9eadcc8db54e42e8096
Opcode Fuzzy Hash: 1c6bb14ccbd5e4042b39d3dde9fab7c3a8aae7d6cb4af9f7c7dc04268749db2d
Instruction Fuzzy Hash: 4871053360022A8BEFA1DE6CCE505BF3BD9AF50654F140168FCD297286E635CD44E7A0

Function 0106833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0106835A
_wcslen.LIBCMT ref: 0106836E
_wcslen.LIBCMT ref: 01068391
_wcslen.LIBCMT ref: 010683B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 010683F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,01065BF2), ref: 0106844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01068487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 010684CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01068501
FreeLibrary.KERNEL32(?), ref: 0106850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0106851D
DestroyIcon.USER32(?,?,?,?,?,01065BF2), ref: 0106852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 01068549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 01068555

Strings

.icl, xrefs: 01068368
.dll, xrefs: 010683AB
.exe, xrefs: 01068388

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 94b7ae3f8f264c1053f4565b0ffb5bc597a0200c227bba9868062ac86299d2fd
Instruction ID: 44eb02f3ced6b39efe73b25b60a81a4ef62f1dd783f3b0ea91d8aad2b5696b58
Opcode Fuzzy Hash: 94b7ae3f8f264c1053f4565b0ffb5bc597a0200c227bba9868062ac86299d2fd
Instruction Fuzzy Hash: CB61E271540319BAEB24DF64CC41BBF77ACBF08710F10864AF995DA1D1DBB9AA80D7A0

Function 00FD7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#requireadmin, xrefs: 00FD77FF
Cannot parse #include, xrefs: 01015279
#pragma compile, xrefs: 00FD77D3
", xrefs: 01015153
#ce, xrefs: 00FD78ED
', xrefs: 01015169
#OnAutoItStartRegister, xrefs: 00FD7817
Unterminated group of comments, xrefs: 0101528C
#comments-start, xrefs: 00FD785F, 00FD78B1
#notrayicon, xrefs: 00FD77E7
#cs, xrefs: 00FD7873, 00FD78C5
#include-once, xrefs: 00FD782F
Bad directive syntax error, xrefs: 0101519A
#comments-end, xrefs: 00FD78D9
#include, xrefs: 00FD7847

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: df4bbadede3f7436c4deb996f9d6664d8ee26df27f5220c65952cf634e6624c1
Instruction ID: dd11e5ed71e435b8aae832455fc88c422948806204761bce0584e702a4dd8a6f
Opcode Fuzzy Hash: df4bbadede3f7436c4deb996f9d6664d8ee26df27f5220c65952cf634e6624c1
Instruction Fuzzy Hash: B9811771A04305BBDB21BF64DC42FBE3BA9AF45300F084426F945AE256FB78D901E791

Function 01035A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 01035A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 01035A40
SetWindowTextW.USER32(?,?), ref: 01035A57
GetDlgItem.USER32(?,000003EA), ref: 01035A6C
SetWindowTextW.USER32(00000000,?), ref: 01035A72
GetDlgItem.USER32(?,000003E9), ref: 01035A82
SetWindowTextW.USER32(00000000,?), ref: 01035A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 01035AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 01035AC3
GetWindowRect.USER32(?,?), ref: 01035ACC
_wcslen.LIBCMT ref: 01035B33
SetWindowTextW.USER32(?,?), ref: 01035B6F
GetDesktopWindow.USER32 ref: 01035B75
GetWindowRect.USER32(00000000), ref: 01035B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 01035BD3
GetClientRect.USER32(?,?), ref: 01035BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 01035C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 01035C2F

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 113402875e02e104cd8f5a1eed3da1268f02e1da423e8116e87155fe975016fc
Instruction ID: b2f1008970219e2be72f684e72127cab97b2ff0df8c440435f1442c60cd2b07b
Opcode Fuzzy Hash: 113402875e02e104cd8f5a1eed3da1268f02e1da423e8116e87155fe975016fc
Instruction Fuzzy Hash: 03717F31900709AFDB24DFA8CE85AAEBBF9FF88704F104558E5C2A25A4D779E940CF50

Function 00FF00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00FF00C6

Part of subcall function 00FF00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(010A070C,00000FA0,2CFC45AC,?,?,?,?,010123B3,000000FF), ref: 00FF011C
Part of subcall function 00FF00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,010123B3,000000FF), ref: 00FF0127
Part of subcall function 00FF00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,010123B3,000000FF), ref: 00FF0138
Part of subcall function 00FF00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00FF014E
Part of subcall function 00FF00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00FF015C
Part of subcall function 00FF00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00FF016A
Part of subcall function 00FF00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FF0195
Part of subcall function 00FF00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FF01A0

___scrt_fastfail.LIBCMT ref: 00FF00E7

Part of subcall function 00FF00A3: __onexit.LIBCMT ref: 00FF00A9

Strings

kernel32.dll, xrefs: 00FF0133
SleepConditionVariableCS, xrefs: 00FF0154
InitializeConditionVariable, xrefs: 00FF0148
WakeAllConditionVariable, xrefs: 00FF0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00FF0122

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: eae3c32527f0dbe6551159c1c393ca96b6560d3ea3fdaba258cfade685f6a03a
Instruction ID: 4c5f070fd86c93ff83d2e660dae58817f1397c531e44ce5170d22ef8fd53fe0f
Opcode Fuzzy Hash: eae3c32527f0dbe6551159c1c393ca96b6560d3ea3fdaba258cfade685f6a03a
Instruction Fuzzy Hash: 26213E32E45719ABE7306BA5AD05B7E3799EF05B60F00012AF9C1AB265DF799C009B50

Function 010330F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0103318D
_wcslen.LIBCMT ref: 010331F8

Strings

INSTANCE, xrefs: 01033453
CLASSNN, xrefs: 010331F3, 01033204
REGEXPCLASS, xrefs: 01033255, 01033266
TEXT, xrefs: 0103347C
NAME, xrefs: 01033335, 01033346
CLASS, xrefs: 01033188, 010331A5

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: cb1c7a7c7eb0ac5628ad9e20d27ee0ed61f66e6120bd5e4a89971c95b3defbdc
Instruction ID: 66f52825b4d4eb2556f94318b223c249ab64bcb22e0424c09669a07da256d8a3
Opcode Fuzzy Hash: cb1c7a7c7eb0ac5628ad9e20d27ee0ed61f66e6120bd5e4a89971c95b3defbdc
Instruction Fuzzy Hash: 9BE10632A001169BCF199F68C8917FEFBB8BF84710F14815AE5D6EB241DF30A945DB90

Function 010444C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0106CC08), ref: 01044527
_wcslen.LIBCMT ref: 0104453B
_wcslen.LIBCMT ref: 01044599
_wcslen.LIBCMT ref: 010445F4
_wcslen.LIBCMT ref: 0104463F
_wcslen.LIBCMT ref: 010446A7

Part of subcall function 00FEF9F2: _wcslen.LIBCMT ref: 00FEF9FD

GetDriveTypeW.KERNEL32(?,01096BF0,00000061), ref: 01044743

Strings

unknown, xrefs: 01044708
network, xrefs: 0104469D, 010446A2
fixed, xrefs: 01044635, 0104463A
cdrom, xrefs: 0104458F, 01044594
ramdisk, xrefs: 010446F1
removable, xrefs: 010445EA, 010445EF
all, xrefs: 01044531, 01044536

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 373dc7b2df3e4d5f7a4dedbfd6fcc2656b9688c630b6e54a63389acd5afc9642
Instruction ID: 3897bfe768af297ce158af8cb069bb4f11746d9a6f5dfe128e48b595aade8441
Opcode Fuzzy Hash: 373dc7b2df3e4d5f7a4dedbfd6fcc2656b9688c630b6e54a63389acd5afc9642
Instruction Fuzzy Hash: 35B1FEB16083029BC710DF28C8D0A6EB7E5BF99760F44496DF5D6C7292E734D845CBA2

Function 0105AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0105B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0105B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0105B1D4
_wcslen.LIBCMT ref: 0105B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0105B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0105B236
_wcslen.LIBCMT ref: 0105B332

Part of subcall function 010405A7: GetStdHandle.KERNEL32(000000F6), ref: 010405C6

_wcslen.LIBCMT ref: 0105B34B
_wcslen.LIBCMT ref: 0105B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0105B3B6
GetLastError.KERNEL32(00000000), ref: 0105B407
CloseHandle.KERNEL32(?), ref: 0105B439
CloseHandle.KERNEL32(00000000), ref: 0105B44A
CloseHandle.KERNEL32(00000000), ref: 0105B45C
CloseHandle.KERNEL32(00000000), ref: 0105B46E
CloseHandle.KERNEL32(?), ref: 0105B4E3

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 306bb0934a60c8e014c15c9ae8a92f5712ef8249fea4c18ec6a3b53a3de4eaee
Instruction ID: e278f3b778e2b693059f0bca699bd4089db9f516256ab12c1244da96791a6096
Opcode Fuzzy Hash: 306bb0934a60c8e014c15c9ae8a92f5712ef8249fea4c18ec6a3b53a3de4eaee
Instruction Fuzzy Hash: B2F19D716043409FD764EF28C881B6FBBE6AF85310F18855EF9D59B2A2DB35E804CB52

Function 00FD326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(010A1990), ref: 01012F8D
GetMenuItemCount.USER32(010A1990), ref: 0101303D
GetCursorPos.USER32(?), ref: 01013081
SetForegroundWindow.USER32(00000000), ref: 0101308A
TrackPopupMenuEx.USER32(010A1990,00000000,?,00000000,00000000,00000000), ref: 0101309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 010130A9

Strings

0, xrefs: 00FD327D

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 5f2aeaac9e9ca696e6b89aa38991d48d9d5ab56f14979e9a2abc6c85f55628f9
Instruction ID: 6cfa76654f6a1f831faecb9aaea601050190b2bc413876d748d78d9f3ce0db24
Opcode Fuzzy Hash: 5f2aeaac9e9ca696e6b89aa38991d48d9d5ab56f14979e9a2abc6c85f55628f9
Instruction Fuzzy Hash: 25714B31640209BEFB319F28CC49FAABFA9FF05324F244217F6946A2D4C7B5A850DB51

Function 01066CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 01066DEB

Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 01066E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 01066E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01066E94
DestroyWindow.USER32(?), ref: 01066EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FD0000,00000000), ref: 01066EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01066EFD
GetDesktopWindow.USER32 ref: 01066F16
GetWindowRect.USER32(00000000), ref: 01066F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 01066F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 01066F4D

Part of subcall function 00FE9944: GetWindowLongW.USER32(?,000000EB), ref: 00FE9952

Strings

0, xrefs: 01066D98
tooltips_class32, xrefs: 01066E58, 01066EDD

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 425636902746d9bb75210c8a1f41bcc4c1ed97d79adbc6c06adcb4f216309c0d
Instruction ID: 7dc5190c4b6550edc25dd9f1593d53c40e546bfd0c9db9639aeb50c85c65af19
Opcode Fuzzy Hash: 425636902746d9bb75210c8a1f41bcc4c1ed97d79adbc6c06adcb4f216309c0d
Instruction Fuzzy Hash: B8717670104244AFEB21CF1CC844EAABBE9FB89304F84045EFADA87261C776E906DB15

Function 0106911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2

DragQueryPoint.SHELL32(?,?), ref: 01069147

Part of subcall function 01067674: ClientToScreen.USER32(?,?), ref: 0106769A
Part of subcall function 01067674: GetWindowRect.USER32(?,?), ref: 01067710
Part of subcall function 01067674: PtInRect.USER32(?,?,01068B89), ref: 01067720

SendMessageW.USER32(?,000000B0,?,?), ref: 010691B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 010691BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 010691DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 01069225
SendMessageW.USER32(?,000000B0,?,?), ref: 0106923E
SendMessageW.USER32(?,000000B1,?,?), ref: 01069255
SendMessageW.USER32(?,000000B1,?,?), ref: 01069277
DragFinish.SHELL32(?), ref: 0106927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 01069371

Strings

@GUI_DRAGID, xrefs: 010692E9
@GUI_DROPID, xrefs: 0106929E
@GUI_DRAGFILE, xrefs: 01069320

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 7d2a8afae115f81893474596dbdb97d5cfb7de4911806192281b1de2e1c03bc2
Instruction ID: 08a3cc4d85e15daa0544c5205a7a6b72b7feb42fc46311021e80bffcce3216e4
Opcode Fuzzy Hash: 7d2a8afae115f81893474596dbdb97d5cfb7de4911806192281b1de2e1c03bc2
Instruction Fuzzy Hash: A5618871108302AFD701DFA0DC85DAFBBE9EF88750F40091EF5D5922A0DB759A48CB62

Function 0104C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0104C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0104C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0104C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0104C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0104C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0104C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0104C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0104C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0104C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0104C5F0
InternetCloseHandle.WININET(00000000), ref: 0104C5FB

Strings

, xrefs: 0104C575

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 133f62c79c8051774763b1ff7d9784254f43eef04b1090390cdbee67f52394bf
Instruction ID: 2c5e97e0db1465ef6c33940033df444e73322b13ffa59dcbfa0f3245b9d19c04
Opcode Fuzzy Hash: 133f62c79c8051774763b1ff7d9784254f43eef04b1090390cdbee67f52394bf
Instruction Fuzzy Hash: DF513FB1501605BFFB219F65CA88AAF7BFCFF08754F008429F9C696150DB39E9449BA0

Function 0106856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 01068592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010685A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010685AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010685BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010685C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010685D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010685E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010685E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010685F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0106FC38,?), ref: 01068611
GlobalFree.KERNEL32(00000000), ref: 01068621
GetObjectW.GDI32(?,00000018,?), ref: 01068641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 01068671
DeleteObject.GDI32(?), ref: 01068699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 010686AF

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 2afcfd496e45bcedcbbc5e9e2a9571e3039aa916ea6a9778ef31fd26513e416c
Instruction ID: 381731c07dbf9b1b6bd5ef29cf878481826be3b9ae0c107988d71b44e5bafb2e
Opcode Fuzzy Hash: 2afcfd496e45bcedcbbc5e9e2a9571e3039aa916ea6a9778ef31fd26513e416c
Instruction Fuzzy Hash: DF412B75600205AFEB219FA9CD48EAE7BBCEF89711F008059F989EB264D7359901CB20

Function 010414BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 01041502
VariantCopy.OLEAUT32(?,?), ref: 0104150B
VariantClear.OLEAUT32(?), ref: 01041517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 010415FB
VarR8FromDec.OLEAUT32(?,?), ref: 01041657
VariantInit.OLEAUT32(?), ref: 01041708
SysFreeString.OLEAUT32(?), ref: 0104178C
VariantClear.OLEAUT32(?), ref: 010417D8
VariantClear.OLEAUT32(?), ref: 010417E7
VariantInit.OLEAUT32(00000000), ref: 01041823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 01041625
Default, xrefs: 010416AF

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: dcb982b99ce2aa815a3645203875357a21f66203a46db8dc9a41ce7c34f377a8
Instruction ID: d3173a3c65ca477d726e559941d04a0c35780443d6593e9cba3ae12d9e6ef2fd
Opcode Fuzzy Hash: dcb982b99ce2aa815a3645203875357a21f66203a46db8dc9a41ce7c34f377a8
Instruction Fuzzy Hash: 8CD1D5B1600219DBDB10DF65D8C5BBDBBF5BF05700F0880A6E9969B280DB35F885DBA1

Function 0105B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

Part of subcall function 0105C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0105B6AE,?,?), ref: 0105C9B5
Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105C9F1
Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA68
Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0105B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0105B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0105B80A
RegCloseKey.ADVAPI32(?), ref: 0105B87E
RegCloseKey.ADVAPI32(?), ref: 0105B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0105B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0105B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0105B922
FreeLibrary.KERNEL32(00000000), ref: 0105B983
RegCloseKey.ADVAPI32(00000000), ref: 0105B994

Strings

RegDeleteKeyExW, xrefs: 0105B8FE
advapi32.dll, xrefs: 0105B8ED

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: de34fa4445113de9bbda7053546e1b94d6bc0cceaa6be09157573c7a800124ad
Instruction ID: c7bf221b8c651a94c59af0b9a54b8657daabf23e8fdc9eead26fd8ec05e55f83
Opcode Fuzzy Hash: de34fa4445113de9bbda7053546e1b94d6bc0cceaa6be09157573c7a800124ad
Instruction Fuzzy Hash: 17C17E34204201AFE750DF18C495F2ABBE2FF85308F18859DF9968B3A2CB75E945CB91

Function 0105255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 010525D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 010525E8
CreateCompatibleDC.GDI32(?), ref: 010525F4
SelectObject.GDI32(00000000,?), ref: 01052601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0105266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 010526AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 010526D0
SelectObject.GDI32(?,?), ref: 010526D8
DeleteObject.GDI32(?), ref: 010526E1
DeleteDC.GDI32(?), ref: 010526E8
ReleaseDC.USER32(00000000,?), ref: 010526F3

Strings

(, xrefs: 0105268D

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 27cd013c982cef96ae290b224b04612f67168e53094511c2bd67c3d3d3cce0ca
Instruction ID: 340f1eca7a52e99a22fad7b9326b7bdb71da08aa298bf5e0b8b468b35ab1a18a
Opcode Fuzzy Hash: 27cd013c982cef96ae290b224b04612f67168e53094511c2bd67c3d3d3cce0ca
Instruction Fuzzy Hash: DA611375D00209EFDF15CFA8C984AAEBBF5FF48310F20852AE995A7250D775A940CFA0

Function 0100DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0100DAA1

Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D659
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D66B
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D67D
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D68F
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6A1
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6B3
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6C5
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6D7
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6E9
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6FB
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D70D
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D71F
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D731

_free.LIBCMT ref: 0100DA96

Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0

_free.LIBCMT ref: 0100DAB8
_free.LIBCMT ref: 0100DACD
_free.LIBCMT ref: 0100DAD8
_free.LIBCMT ref: 0100DAFA
_free.LIBCMT ref: 0100DB0D
_free.LIBCMT ref: 0100DB1B
_free.LIBCMT ref: 0100DB26
_free.LIBCMT ref: 0100DB5E
_free.LIBCMT ref: 0100DB65
_free.LIBCMT ref: 0100DB82
_free.LIBCMT ref: 0100DB9A

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9f2ac2bbc661ef493700b1d973b439b5028659a318c79e99af8c616188ee2662
Instruction ID: cac6e923f02d539fe2cac0ffb1567042a6e23e09fd8a78abda6c82cc4b0169af
Opcode Fuzzy Hash: 9f2ac2bbc661ef493700b1d973b439b5028659a318c79e99af8c616188ee2662
Instruction Fuzzy Hash: 463139316046069FFB63AAB9E848B9A7BE9FF11250F244459E4C9D71D1DE35E880CB30

Function 0103365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0103369C
_wcslen.LIBCMT ref: 010336A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 01033797
GetClassNameW.USER32(?,?,00000400), ref: 0103380C
GetDlgCtrlID.USER32(?), ref: 0103385D
GetWindowRect.USER32(?,?), ref: 01033882
GetParent.USER32(?), ref: 010338A0
ScreenToClient.USER32(00000000), ref: 010338A7
GetClassNameW.USER32(?,?,00000100), ref: 01033921
GetWindowTextW.USER32(?,?,00000400), ref: 0103395D

Strings

%s%u, xrefs: 01033734

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 9ce791be66b255f20b664ed96d02188ea400c0aa6850e23976d63df9a956c123
Instruction ID: 4b09bec1805f56015a79183c4c2ff7c88d6124fe231a6e9e81ba8dd5ad769c7b
Opcode Fuzzy Hash: 9ce791be66b255f20b664ed96d02188ea400c0aa6850e23976d63df9a956c123
Instruction Fuzzy Hash: BA91A271204606EFE715DF28C884BAAF7ECFF84310F00851AFAD9DA150DB34A945CB91

Function 01034954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 01034994
GetWindowTextW.USER32(?,?,00000400), ref: 010349DA
_wcslen.LIBCMT ref: 010349EB
CharUpperBuffW.USER32(?,00000000), ref: 010349F7
_wcsstr.LIBVCRUNTIME ref: 01034A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 01034A64
GetWindowTextW.USER32(?,?,00000400), ref: 01034A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 01034AE6
GetClassNameW.USER32(?,?,00000400), ref: 01034B20
GetWindowRect.USER32(?,?), ref: 01034B8B

Strings

ThumbnailClass, xrefs: 01034A6F, 01034AF1

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 907ff7ef1d06aaa36869c5c7fbe512c484ab155caa90cc8e81bc720c9b713c01
Instruction ID: fff677af2c5f0cf1fdda20fef021db7c635eb97b86451075a83163b9b47b721f
Opcode Fuzzy Hash: 907ff7ef1d06aaa36869c5c7fbe512c484ab155caa90cc8e81bc720c9b713c01
Instruction Fuzzy Hash: 1791B2311042099FEB59DE18C980BAA7BECFF84314F0484AAFEC5DA196DB34E945CB61

Function 01068D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 01068D5A
GetFocus.USER32 ref: 01068D6A
GetDlgCtrlID.USER32(00000000), ref: 01068D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 01068E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 01068ECF
GetMenuItemCount.USER32(?), ref: 01068EEC
GetMenuItemID.USER32(?,00000000), ref: 01068EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 01068F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 01068F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01068FA1

Strings

0, xrefs: 01068E9F

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: a26e8775fb6d0c37db2e81887ace9c38fbcbed8ddbe8d1e8e176a5e3d2830412
Instruction ID: e9e788c4b57f2451623ec4c52b4be5b508bddce8571431903a5a18f5a4dcbc03
Opcode Fuzzy Hash: a26e8775fb6d0c37db2e81887ace9c38fbcbed8ddbe8d1e8e176a5e3d2830412
Instruction Fuzzy Hash: D4818D71508301ABE761CF18CC84AAB7BEDFB88354F04895AFAC597292D775D940CB61

Function 0103DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0103DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0103DC46
_wcslen.LIBCMT ref: 0103DC50
_wcsstr.LIBVCRUNTIME ref: 0103DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0103DCBC

Strings

StringFileInfo\, xrefs: 0103DC8F
\VarFileInfo\Translation, xrefs: 0103DCB4
DefaultLangCodepage, xrefs: 0103DD1F
04090000, xrefs: 0103DCF2
%u.%u.%u.%u, xrefs: 0103DD9A

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 09e706a9bbd85efcc4dd6613972c6e18689c5b9a1585ba0e280bb163846d7856
Instruction ID: 2d1596356a7f6f45bfd0dfdfb28c46424f9451b0c1b4f8d886feb1f9413d8a64
Opcode Fuzzy Hash: 09e706a9bbd85efcc4dd6613972c6e18689c5b9a1585ba0e280bb163846d7856
Instruction Fuzzy Hash: F8414D729402057AEB15B775DC07EBF37ACEF42710F40006EFA80BA153EB799901A7A4

Function 0105CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0105CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0105CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0105CD48

Part of subcall function 0105CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0105CCAA
Part of subcall function 0105CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0105CCBD
Part of subcall function 0105CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0105CCCF
Part of subcall function 0105CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0105CD05
Part of subcall function 0105CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0105CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0105CCF3

Strings

RegDeleteKeyExW, xrefs: 0105CCC9
advapi32.dll, xrefs: 0105CCB8

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 69cb81728a295e0f50b27ee51d6f368a22280173c442c3e26add7315b30d1251
Instruction ID: f5e96165b0138220b36fd5be6cf96240fc96f36f4a1a2f70d5875dbaea50a758
Opcode Fuzzy Hash: 69cb81728a295e0f50b27ee51d6f368a22280173c442c3e26add7315b30d1251
Instruction Fuzzy Hash: 0B318071901229BBFB719A95DD88EFFBFBCEF06640F0001A5F981E6104D6749A459BB0

Function 01043D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 01043D40
_wcslen.LIBCMT ref: 01043D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 01043D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 01043DBE
RemoveDirectoryW.KERNEL32(?), ref: 01043DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 01043E55
CloseHandle.KERNEL32(00000000), ref: 01043E60
CloseHandle.KERNEL32(00000000), ref: 01043E6B

Strings

\??\%s, xrefs: 01043D5B
\, xrefs: 01043D77
:, xrefs: 01043D82

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 6be8108e2e1807ccd1d898f9c52942e9bfab2cd62c7548e236327033b083f11b
Instruction ID: b4515ca8d423a0e003af067910e4bb8a3bdef0fc4e2020f934110745a3045348
Opcode Fuzzy Hash: 6be8108e2e1807ccd1d898f9c52942e9bfab2cd62c7548e236327033b083f11b
Instruction Fuzzy Hash: 3031B6B150011AABEB21ABA4DC85FEF37BDFF89700F1040B5F689D6064E77493448B24

Function 0103E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0103E6B4

Part of subcall function 00FEE551: timeGetTime.WINMM(?,?,0103E6D4), ref: 00FEE555

Sleep.KERNEL32(0000000A), ref: 0103E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0103E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0103E727
SetActiveWindow.USER32 ref: 0103E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0103E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0103E773
Sleep.KERNEL32(000000FA), ref: 0103E77E
IsWindow.USER32 ref: 0103E78A
EndDialog.USER32(00000000), ref: 0103E79B

Strings

BUTTON, xrefs: 0103E719

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 159acb4b7854506dc50eb0f415f04db544434a07a6e4dab3a7499d643ed290df
Instruction ID: 73bbbab3a8739232e80f8e073159035e43f0ed4a1ba82a423c30b190694cab99
Opcode Fuzzy Hash: 159acb4b7854506dc50eb0f415f04db544434a07a6e4dab3a7499d643ed290df
Instruction Fuzzy Hash: CE21C670240601AFFB315F24EDD8A293B6DF788348F400635F5D182655DBBBAC109B24

Function 0103E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0103EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0103EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0103EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0103EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0103EAA7

Strings

play PlayMe wait, xrefs: 0103EA91
play PlayMe, xrefs: 0103EAA2
open , xrefs: 0103EA0C
status PlayMe mode, xrefs: 0103EA58
alias PlayMe, xrefs: 0103EA36
close PlayMe, xrefs: 0103EA6E, 0103EA9B

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 4cff909ac196c2cbf192a9652b25c6a7185f2ce3b4745350f81234447c2ddf0f
Instruction ID: 7e8d7395fed4943e46cf1b3aa92c6e7f52fc4df30f901876d61543b22529a505
Opcode Fuzzy Hash: 4cff909ac196c2cbf192a9652b25c6a7185f2ce3b4745350f81234447c2ddf0f
Instruction Fuzzy Hash: D1110630A5026979EB20A3A6DC5AEFF7ABCEFC1F00F04052AB441A60D0EEB11905D5B0

Function 01035CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 01035CE2
GetWindowRect.USER32(00000000,?), ref: 01035CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 01035D59
GetDlgItem.USER32(?,00000002), ref: 01035D69
GetWindowRect.USER32(00000000,?), ref: 01035D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 01035DCF
GetDlgItem.USER32(?,000003E9), ref: 01035DDD
GetWindowRect.USER32(00000000,?), ref: 01035DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 01035E31
GetDlgItem.USER32(?,000003EA), ref: 01035E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 01035E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 01035E67

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7d1e1dbac669655208b6e01807b80330de2b54028122d9333ed32c726d59d58a
Instruction ID: ab1fdaeb50aac960dffe0fcc62d6c3248a261345997e642c7c37925b21d4314d
Opcode Fuzzy Hash: 7d1e1dbac669655208b6e01807b80330de2b54028122d9333ed32c726d59d58a
Instruction Fuzzy Hash: C3510FB1B00205AFDB18DF68DD89AAE7BF9FB88301F548129F555E7294D774AE00CB60

Function 00FE8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FE8BE8,?,00000000,?,?,?,?,00FE8BBA,00000000,?), ref: 00FE8FC5

DestroyWindow.USER32(?), ref: 00FE8C81
KillTimer.USER32(00000000,?,?,?,?,00FE8BBA,00000000,?), ref: 00FE8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 01026973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00FE8BBA,00000000,?), ref: 010269A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00FE8BBA,00000000,?), ref: 010269B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00FE8BBA,00000000), ref: 010269D4
DeleteObject.GDI32(00000000), ref: 010269E6

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 770f3c135e2d4c3e10bd5506ac6aaa519b7bd814e30be99fa2328159bd5360a4
Instruction ID: 46a70a4684300cc1d7daed2a75ef3594b895eb91c482c81359e4d08613c4299e
Opcode Fuzzy Hash: 770f3c135e2d4c3e10bd5506ac6aaa519b7bd814e30be99fa2328159bd5360a4
Instruction Fuzzy Hash: F2610131502A90DFDB32AF1ACA08B2577F1FB41352F60451DE4C687564CB3BA882EF90

Function 00FE9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00FE9944: GetWindowLongW.USER32(?,000000EB), ref: 00FE9952

GetSysColor.USER32(0000000F), ref: 00FE9862

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 67442add0da4ff573bc5dfaf1b248eca4855983e9acce0545cb9f1a310be6bf4
Instruction ID: b71d5038156ed4ebeb2425349f0a8477bed2b3f7ea6b168712c6d8d68790a3ba
Opcode Fuzzy Hash: 67442add0da4ff573bc5dfaf1b248eca4855983e9acce0545cb9f1a310be6bf4
Instruction Fuzzy Hash: D7412231504690EFEB305F399884BB93BA5EB06330F544205FAE28B2F5C3B58941EB22

Function 010396E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0101F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 01039717
LoadStringW.USER32(00000000,?,0101F7F8,00000001), ref: 01039720

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0101F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 01039742
LoadStringW.USER32(00000000,?,0101F7F8,00000001), ref: 01039745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 01039866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0103984A
Line %d (File "%s"):, xrefs: 0103978F
Error: , xrefs: 0103981D
Line %d:, xrefs: 010397A0
^ ERROR, xrefs: 010397FB

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 28e1f637e6b07b02fe31f63d826a20bbabec22bcd3b30c8c7a8ac43a4835182a
Instruction ID: 3e492ba19b259f37995f14b3e69e0e58ef3a98f69a4a43a14ed997b2b4e59dd6
Opcode Fuzzy Hash: 28e1f637e6b07b02fe31f63d826a20bbabec22bcd3b30c8c7a8ac43a4835182a
Instruction Fuzzy Hash: 42418E7290420AAADF04FBE0DE92DEE777EAF54344F540026F24172191EB796F48EB61

Function 010306DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 010307A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 010307BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 010307DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 01030804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0103082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 01030837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0103083C

Strings

\IPC$, xrefs: 01030784
SOFTWARE\Classes\, xrefs: 0103070E
\CLSID, xrefs: 01030724

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 9fd11368a3debfca0f990a768ae6be19b9497bfdfe535b380c51213caa5ed1ad
Instruction ID: 4e74a3b76e9702790861cccf68629b6cac8d1c814e8848dbc908c02c701a256a
Opcode Fuzzy Hash: 9fd11368a3debfca0f990a768ae6be19b9497bfdfe535b380c51213caa5ed1ad
Instruction Fuzzy Hash: D7413C75C10229ABDF21EB94DC95CEDB7B9FF44750F08416AF981A3261EB349E04DB90

Function 01053C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01053C5C
CoInitialize.OLE32(00000000), ref: 01053C8A
CoUninitialize.OLE32 ref: 01053C94
_wcslen.LIBCMT ref: 01053D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 01053DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 01053ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 01053F0E
CoGetObject.OLE32(?,00000000,0106FB98,?), ref: 01053F2D
SetErrorMode.KERNEL32(00000000), ref: 01053F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01053FC4
VariantClear.OLEAUT32(?), ref: 01053FD8

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 4573aed08976f2051c3ab09bf84247ae44d647abccb7fcf68f8e6ada5dd9daa7
Instruction ID: 38d8868d918ad06d7424d2265e4dd713579cf7a68c5c88ceb22459602b3508db
Opcode Fuzzy Hash: 4573aed08976f2051c3ab09bf84247ae44d647abccb7fcf68f8e6ada5dd9daa7
Instruction Fuzzy Hash: 2FC133716083059FD790DF68C88492BBBE9FF89788F04495DF98A9B250DB31ED05CB62

Function 01047A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 01047AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 01047B8F
SHGetDesktopFolder.SHELL32(?), ref: 01047BA3
CoCreateInstance.OLE32(0106FD08,00000000,00000001,01096E6C,?), ref: 01047BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 01047C74
CoTaskMemFree.OLE32(?,?), ref: 01047CCC
SHBrowseForFolderW.SHELL32(?), ref: 01047D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 01047D7A
CoTaskMemFree.OLE32(00000000), ref: 01047D81
CoTaskMemFree.OLE32(00000000), ref: 01047DD6
CoUninitialize.OLE32 ref: 01047DDC

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 553b08bf9f74906bbd37fd7ec875ed9c2e6a0496312fb6dcc8364f4e0323967f
Instruction ID: b02c312fb952edcc46bb8a4467b5a8d98ecebf644c30d9c1ad74f83ec67a0673
Opcode Fuzzy Hash: 553b08bf9f74906bbd37fd7ec875ed9c2e6a0496312fb6dcc8364f4e0323967f
Instruction Fuzzy Hash: 84C15A75A00209AFDB14DFA4C8C4DAEBBF9FF48304B1484A9E9599B361DB35ED41CB90

Function 0106541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01065504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01065515
CharNextW.USER32(00000158), ref: 01065544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01065585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0106559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 010655AC

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: bdab0f53e297447e517ae88e007bf26ae61de5e2cb9bd9d856adf9c4f8ea8e25
Instruction ID: 0879dc71b458274840148f66b6edbc495daf107eadc9db55c7eee95fa1ca746c
Opcode Fuzzy Hash: bdab0f53e297447e517ae88e007bf26ae61de5e2cb9bd9d856adf9c4f8ea8e25
Instruction Fuzzy Hash: 54617434900209AFEF209F54CC849FE7BBDEF0A7A4F004185F6E5A7290D7759A41CB61

Function 0102FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0102FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0102FB08
VariantInit.OLEAUT32(?), ref: 0102FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0102FB3A
VariantCopy.OLEAUT32(?,?), ref: 0102FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0102FBA1
VariantClear.OLEAUT32(?), ref: 0102FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0102FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0102FBCC
VariantClear.OLEAUT32(?), ref: 0102FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0102FBE9

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: b4856c262fb3f87e80bfbd3b28bcc72a593619cb9bc11f05d360a65af377211f
Instruction ID: acb5d94c334da6ae43d22e2211c79b573e55b20e53aff5ea7a075165a7cb86d7
Opcode Fuzzy Hash: b4856c262fb3f87e80bfbd3b28bcc72a593619cb9bc11f05d360a65af377211f
Instruction Fuzzy Hash: A8416375A0021ADFDF11DF68C8549EDBBB9FF48384F008065E985A7261CB35E945CFA0

Function 01039C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 01039CA1
GetAsyncKeyState.USER32(000000A0), ref: 01039D22
GetKeyState.USER32(000000A0), ref: 01039D3D
GetAsyncKeyState.USER32(000000A1), ref: 01039D57
GetKeyState.USER32(000000A1), ref: 01039D6C
GetAsyncKeyState.USER32(00000011), ref: 01039D84
GetKeyState.USER32(00000011), ref: 01039D96
GetAsyncKeyState.USER32(00000012), ref: 01039DAE
GetKeyState.USER32(00000012), ref: 01039DC0
GetAsyncKeyState.USER32(0000005B), ref: 01039DD8
GetKeyState.USER32(0000005B), ref: 01039DEA

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f1986d121c2b0499c81e568c8a95325c4fd21af2abfd17b741e8d5930ab44014
Instruction ID: 8ddbc0a7a3485ff44324ce7747d7175fbc25d3aca39f0146376ede1111906efa
Opcode Fuzzy Hash: f1986d121c2b0499c81e568c8a95325c4fd21af2abfd17b741e8d5930ab44014
Instruction Fuzzy Hash: 3A41F9345047C969FFB2666885093B6BEE86F81308F0480DED6C6562C3DBE595C4CBA2

Function 0105055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 010505BC
inet_addr.WSOCK32(?), ref: 0105061C
gethostbyname.WSOCK32(?), ref: 01050628
IcmpCreateFile.IPHLPAPI ref: 01050636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 010506C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 010506E5
IcmpCloseHandle.IPHLPAPI(?), ref: 010507B9
WSACleanup.WSOCK32 ref: 010507BF

Strings

Ping, xrefs: 01050676

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: c31fdb28b5cf2da3ed8f2a070e3d760b7cd6eb7d074398e512da37d36509d8a6
Instruction ID: 530c88217615c81d873a2bbb035197678a15986a1affd996b3cd17d89c99e3f5
Opcode Fuzzy Hash: c31fdb28b5cf2da3ed8f2a070e3d760b7cd6eb7d074398e512da37d36509d8a6
Instruction Fuzzy Hash: 35918E759042019FD360CF19C988B1BBBE0BF44318F0885A9F9A98B7A6C735ED45CF91

Function 01058CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 01058CF3

Part of subcall function 01038E54: _wcslen.LIBCMT ref: 01038E77

_wcslen.LIBCMT ref: 01058D4E
_wcslen.LIBCMT ref: 01058D9C
_wcslen.LIBCMT ref: 01058DDC
_wcslen.LIBCMT ref: 01058E6E

Strings

winapi, xrefs: 01058D96, 01058D9B
stdcall, xrefs: 01058DD6, 01058DDB
cdecl, xrefs: 01058D48, 01058D4D
none, xrefs: 01058E65, 01058E6A

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: b934d34037c45b8cc22cdb644634b6aa4a9d0ca2efdcb7013ecbadc9748b6a22
Instruction ID: ced4025b4cc7a960c84c0658319db679311b62e2dd4e9f970ef330f5e9854e8a
Opcode Fuzzy Hash: b934d34037c45b8cc22cdb644634b6aa4a9d0ca2efdcb7013ecbadc9748b6a22
Instruction Fuzzy Hash: AD51C032A000169BCFA4DF6DC8508BFB7F6AF54324B24825AEDA6E7285D735DD40D790

Function 0105372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 01053774
CoUninitialize.OLE32 ref: 0105377F
CoCreateInstance.OLE32(?,00000000,00000017,0106FB78,?), ref: 010537D9
IIDFromString.OLE32(?,?), ref: 0105384C
VariantInit.OLEAUT32(?), ref: 010538E4
VariantClear.OLEAUT32(?), ref: 01053936

Strings

Invalid parameter, xrefs: 01053865
Failed to create object, xrefs: 010537E4, 0105389A
NULL Pointer assignment, xrefs: 0105381E

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 2db5bf910695abc9e91cf23bb07eecb122a34bc86d65ed27da0eaa3623559cf7
Instruction ID: c7cd3c74ee59b6bc1d673b338ded1d3d687f7a53860054f1f9dcfc2e21b1cb09
Opcode Fuzzy Hash: 2db5bf910695abc9e91cf23bb07eecb122a34bc86d65ed27da0eaa3623559cf7
Instruction Fuzzy Hash: 2C618E71608301AFD361DF55C888B6BBBE8FF88754F040859F9C59B291D774E948CB92

Function 01043388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 010433CF

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 010433F0

Strings

Line %d (File "%s"):, xrefs: 01043443, 0104345C
^ ERROR , xrefs: 0104349E
Error: , xrefs: 010434D1
Incorrect parameters to object property !, xrefs: 010434AB
"%s" (%d) : ==> %s:, xrefs: 01043522
"%s" (%d) : ==> %s:%s%s, xrefs: 01043504

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 53c2cbbf596e216b62ee677718ca8426f73758998bf3b5a8b2041ff0c0595603
Instruction ID: 3dc49e6d6bda82776387202897097a35a439c1a051a68de7117b61b076f3d4d2
Opcode Fuzzy Hash: 53c2cbbf596e216b62ee677718ca8426f73758998bf3b5a8b2041ff0c0595603
Instruction Fuzzy Hash: 2B51F17290021AABDF14EBE0CE42EEEB77AAF14340F144066F14576151EB7A2F58EF61

Function 0103B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0103B5FC
_wcslen.LIBCMT ref: 0103B608
_wcslen.LIBCMT ref: 0103B64D
_wcslen.LIBCMT ref: 0103B68C
_wcslen.LIBCMT ref: 0103B6C7

Strings

EXISTS, xrefs: 0103B686, 0103B68B
APPEND, xrefs: 0103B6C1, 0103B6C6
REMOVE, xrefs: 0103B602, 0103B607
KEYS, xrefs: 0103B647, 0103B64C

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: ea03d93c8856da25cf8c31e846d548aa488444c3e406de2a32b4b09308fa92f0
Instruction ID: f88ba4f06b81986e45942c1912d805af8ea06d391b0fb513294f003d6634ddc5
Opcode Fuzzy Hash: ea03d93c8856da25cf8c31e846d548aa488444c3e406de2a32b4b09308fa92f0
Instruction Fuzzy Hash: BC412832B000268BCB205F7DCC905BEBBE9BFD4658B144169E5A1DB286F639C881E390

Function 01045393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 010453A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 01045416
GetLastError.KERNEL32 ref: 01045420
SetErrorMode.KERNEL32(00000000,READY), ref: 010454A7

Strings

INVALID, xrefs: 01045459
READY, xrefs: 01045460, 01045468
READONLY, xrefs: 01045452
UNKNOWN, xrefs: 01045444
NOTREADY, xrefs: 0104544B

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: b159bba315553b762215af167254b20cbd942381428c2feb545358d30205a2fd
Instruction ID: 6f0f1b6f41f6c25da1d5f4b4afc45378b3d490dc5f705b32a4d3efe5887d6535
Opcode Fuzzy Hash: b159bba315553b762215af167254b20cbd942381428c2feb545358d30205a2fd
Instruction Fuzzy Hash: 6D319FB5A002059FDB11DF68C8C4AAA7BF4FB85309F0880A5F585CF292EB75D942CB90

Function 01063C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 01063C79
SetMenu.USER32(?,00000000), ref: 01063C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01063D10
IsMenu.USER32(?), ref: 01063D24
CreatePopupMenu.USER32 ref: 01063D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01063D5B
DrawMenuBar.USER32 ref: 01063D63

Strings

0, xrefs: 01063C54
F, xrefs: 01063D4E

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 30cc3d6934ce14de08e3147ed5d15d82301b3f802858a79698059384d908a2d5
Instruction ID: 70519c22da2a8c197c2e1518116ccd74c1c0fd156e53bb0e30968d13112c347f
Opcode Fuzzy Hash: 30cc3d6934ce14de08e3147ed5d15d82301b3f802858a79698059384d908a2d5
Instruction Fuzzy Hash: 5B417F75A01209EFEB24DF64E844ADA7BF9FF49350F040069FA8A9B360D735A910CF94

Function 01063A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01063A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01063AA0
GetWindowLongW.USER32(?,000000F0), ref: 01063AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01063AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01063B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 01063BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 01063BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 01063BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 01063BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 01063C13

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 112352f5b5d9f57dc255ff36c71ad05ebcb93d5e7ef2fe5a1632e29163a87830
Instruction ID: a4b2639126ca93b18287cfb6cb409277444c8c7072372c39bc72030e27ee7cae
Opcode Fuzzy Hash: 112352f5b5d9f57dc255ff36c71ad05ebcb93d5e7ef2fe5a1632e29163a87830
Instruction Fuzzy Hash: F7616A75900208AFDB20DFA8CC81EEE77F8FF09714F10019AFA95AB291D775A945DB90

Function 0103B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0103B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B165
GetWindowThreadProcessId.USER32(00000000), ref: 0103B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0103B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B21D

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 3b1db2c314b246af02284a4ac496ec88b6c38791e87dc866b3545890ad93e05d
Instruction ID: b68c108820f56959957790cc2f2022563ecd9121f45f1d76a645ba33c96314be
Opcode Fuzzy Hash: 3b1db2c314b246af02284a4ac496ec88b6c38791e87dc866b3545890ad93e05d
Instruction Fuzzy Hash: FB31FD71180604BFEB359F28D849F6DBBEDBB86319F504104FAC2CA185C7BAA8008F24

Function 01002C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01002C94

Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0

_free.LIBCMT ref: 01002CA0
_free.LIBCMT ref: 01002CAB
_free.LIBCMT ref: 01002CB6
_free.LIBCMT ref: 01002CC1
_free.LIBCMT ref: 01002CCC
_free.LIBCMT ref: 01002CD7
_free.LIBCMT ref: 01002CE2
_free.LIBCMT ref: 01002CED
_free.LIBCMT ref: 01002CFB

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: aa965520425a5ba993a18b61e1943a9391fb2edffb4ca5ebf3ae278adad05b08
Instruction ID: c4a5c549467f4ce043041e07c10291093d6a69478084efb5f7e8131261c4af66
Opcode Fuzzy Hash: aa965520425a5ba993a18b61e1943a9391fb2edffb4ca5ebf3ae278adad05b08
Instruction Fuzzy Hash: 1511B676500109BFEB03EF94D885CDD3BA9FF15390F6144A5FA889F2A1DA31EE509B90

Function 00FD1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FD1459
OleUninitialize.OLE32(?,00000000), ref: 00FD14F8
UnregisterHotKey.USER32(?), ref: 00FD16DD
DestroyWindow.USER32(?), ref: 010124B9
FreeLibrary.KERNEL32(?), ref: 0101251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0101254B

Strings

close all, xrefs: 00FD1454

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: cd5410b40ea7ee027a6844bf4af4cda483d3cca344f4f92eb9f92941775e90ea
Instruction ID: b29d196f10a7134eb2b10cb37aa3a24d4482faf95ff0c8e222f882915fb08ab3
Opcode Fuzzy Hash: cd5410b40ea7ee027a6844bf4af4cda483d3cca344f4f92eb9f92941775e90ea
Instruction Fuzzy Hash: DAD19931701212DFDB29EF15C998B28F7A5BF05700F2842AEE58A6B365CB34AC12DF50

Function 01047DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01047FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 01047FC1
GetFileAttributesW.KERNEL32(?), ref: 01047FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 01048005
SetCurrentDirectoryW.KERNEL32(?), ref: 01048017
SetCurrentDirectoryW.KERNEL32(?), ref: 01048060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 010480B0

Strings

*.*, xrefs: 01048066

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: cd5334f080d820bed8b8acbd0f583eafe605d2b41772794a6e612810d659e189
Instruction ID: a3c9cd633eb68de918236dc879005afd26d3c815c9e65bf6e997972653ae80ba
Opcode Fuzzy Hash: cd5334f080d820bed8b8acbd0f583eafe605d2b41772794a6e612810d659e189
Instruction Fuzzy Hash: 4981C1B25042019BDB74EF59C884AAEB7E9BF88310F084D6EF9C5C7250E735D945CB92

Function 00FD5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00FD5C7A

Part of subcall function 00FD5D0A: GetClientRect.USER32(?,?), ref: 00FD5D30
Part of subcall function 00FD5D0A: GetWindowRect.USER32(?,?), ref: 00FD5D71
Part of subcall function 00FD5D0A: ScreenToClient.USER32(?,?), ref: 00FD5D99

GetDC.USER32 ref: 010146F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 01014708
SelectObject.GDI32(00000000,00000000), ref: 01014716
SelectObject.GDI32(00000000,00000000), ref: 0101472B
ReleaseDC.USER32(?,00000000), ref: 01014733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 010147C4

Strings

U, xrefs: 01014693

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: e819c201679f4b7518b39605973d6faef0c5f1c5fb4255aa69893ffc96ed1ba2
Instruction ID: 0860b4c19cc7d5986dcfc46463849bf5723e87a7579a31f5ee21f49d859e25ba
Opcode Fuzzy Hash: e819c201679f4b7518b39605973d6faef0c5f1c5fb4255aa69893ffc96ed1ba2
Instruction Fuzzy Hash: EA71E331500205DFDF218F68C984ABE3BB6FF49365F1842A6EED59A26AC3399841DF50

Function 0104359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 010435E4

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

LoadStringW.USER32(010A2390,?,00000FFF,?), ref: 0104360A

Strings

Line %d (File "%s"):, xrefs: 0104366B
Error: , xrefs: 010436EF
"%s" (%d) : ==> %s:, xrefs: 01043742
^ ERROR, xrefs: 010436C9
"%s" (%d) : ==> %s:%s%s, xrefs: 01043724

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 2cd4508b1b4f43b1a04efce96fd2e8cd860d7da88741543a6f84e3e57df22335
Instruction ID: 488dbfe35c086e19e2f0d7c94c0fd133af2cf962acb7cc4183f90513b992caa6
Opcode Fuzzy Hash: 2cd4508b1b4f43b1a04efce96fd2e8cd860d7da88741543a6f84e3e57df22335
Instruction Fuzzy Hash: 0D51A27280021ABBDF15EBE0CD81EEDBB7ABF14300F484126F14576251DB751A98EF61

Function 01068B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2

Part of subcall function 00FE912D: GetCursorPos.USER32(?), ref: 00FE9141
Part of subcall function 00FE912D: ScreenToClient.USER32(00000000,?), ref: 00FE915E
Part of subcall function 00FE912D: GetAsyncKeyState.USER32(00000001), ref: 00FE9183
Part of subcall function 00FE912D: GetAsyncKeyState.USER32(00000002), ref: 00FE919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 01068B6B
ImageList_EndDrag.COMCTL32 ref: 01068B71
ReleaseCapture.USER32 ref: 01068B77
SetWindowTextW.USER32(?,00000000), ref: 01068C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 01068C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 01068CFF

Strings

@GUI_DROPID, xrefs: 01068C51
@GUI_DRAGFILE, xrefs: 01068C9A

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 9840b90bd0833558390d1591491ec5743cde5ff878de696fef876cb3a6b98088
Instruction ID: d0f109d127d5755c4ca24b20f1aa2c1185bd071aa4c07e5e012a20c16ed3b856
Opcode Fuzzy Hash: 9840b90bd0833558390d1591491ec5743cde5ff878de696fef876cb3a6b98088
Instruction Fuzzy Hash: 4951AB71208304AFE710DF64DC59FAA77E9FB88714F40062EF9D6972A1CB799904CB62

Function 0104C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0104C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0104C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0104C2CA
GetLastError.KERNEL32 ref: 0104C322
SetEvent.KERNEL32(?), ref: 0104C336
InternetCloseHandle.WININET(00000000), ref: 0104C341

Strings

, xrefs: 0104C2BB

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 7a7dc09a089ac3c8bd2660e1c96d0a3f78e68be3e3c750da4e8c5038aa4d45d1
Instruction ID: 28d8cdb07ef70945c986e1488bf6a296edbc66dfca4314240e920f69311193f9
Opcode Fuzzy Hash: 7a7dc09a089ac3c8bd2660e1c96d0a3f78e68be3e3c750da4e8c5038aa4d45d1
Instruction Fuzzy Hash: 073171B1601244AFF7319FA58AC4AAF7BFCEF49645B04856DE4C6D2210DB39DA048B60

Function 0103989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,01013AAF,?,?,Bad directive syntax error,0106CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 010398BC
LoadStringW.USER32(00000000,?,01013AAF,?), ref: 010398C3

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 01039987

Strings

Line %d (File "%s"):, xrefs: 0103992D
Line %d:, xrefs: 01039912
., xrefs: 0103996D
%s (%d) : ==> %s.: %s %s, xrefs: 010398F1
Error: , xrefs: 01039955

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: d900e94fe707eff630bf387001ad72b8240154ff68150ddb63832ab17e6b0bca
Instruction ID: 6345a1127c76205edf7a9b9056ac330a0d1a70d8ceb908ea840c01dc811b9459
Opcode Fuzzy Hash: d900e94fe707eff630bf387001ad72b8240154ff68150ddb63832ab17e6b0bca
Instruction Fuzzy Hash: 1921D03190021EEBDF11AF90CC06EEE377ABF18304F08441AF65566061EB7A9A28EB11

Function 0103209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 010320AB
GetClassNameW.USER32(00000000,?,00000100), ref: 010320C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0103214D

Strings

smallicons, xrefs: 01032115
list, xrefs: 0103212F
largeicons, xrefs: 010320E1
details, xrefs: 010320FB
SHELLDLL_DefView, xrefs: 010320CC

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 7e9b1bf0809f86d16e1aa8952e7e469cd16d04b7753fbeafb2a7c7083ee340ce
Instruction ID: 21f54509c4581e72a8296e8d99d2ee75b73ecf682fa9df996834551f5e637591
Opcode Fuzzy Hash: 7e9b1bf0809f86d16e1aa8952e7e469cd16d04b7753fbeafb2a7c7083ee340ce
Instruction Fuzzy Hash: 7B110A7A68830AB9FB122526DD16DBB379CCF55724B20015AF784A90A2FAB978016A14

Function 0100CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0100CEB7
_free.LIBCMT ref: 0100CF22
_free.LIBCMT ref: 0100CF48
_free.LIBCMT ref: 0100CF71
_free.LIBCMT ref: 0100CFA9
_free.LIBCMT ref: 0100CFDA
_free.LIBCMT ref: 0100D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0100D09C
_free.LIBCMT ref: 0100D0B5

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 1ee7eff62ad01f277eea606da96a92ba99b82b1be0cc8ef7da01a95c0274133c
Instruction ID: 58456d234c6cb2d02f96d3b9b5e715a7124b16f558e63c8d123ff1a35081b8e2
Opcode Fuzzy Hash: 1ee7eff62ad01f277eea606da96a92ba99b82b1be0cc8ef7da01a95c0274133c
Instruction Fuzzy Hash: B2614972904205AFFB23AFB89984ABD7FE4AF01350F0442EDFAC4972C5D736990587A1

Function 010650D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 01065186
ShowWindow.USER32(?,00000000), ref: 010651C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 010651CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 010651D1

Part of subcall function 01066FBA: DeleteObject.GDI32(00000000), ref: 01066FE6

GetWindowLongW.USER32(?,000000F0), ref: 0106520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0106521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0106524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 01065287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 01065296

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 45c56fef8ada4fe8d6e18c3aa9064f3e62c7848ca151203b3cd41da7666c3deb
Instruction ID: ac35a38895cde480c7e852350b133ef4f124679a7804b3221cfab87a067b3902
Opcode Fuzzy Hash: 45c56fef8ada4fe8d6e18c3aa9064f3e62c7848ca151203b3cd41da7666c3deb
Instruction Fuzzy Hash: 4F51C470A4020AFFFF309F28CC45BD83BA9FB463A1F144152F6959A2E0D3B9A590DB51

Function 00FE8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 01026890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 010268A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 010268B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 010268D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 010268F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00FE8874,00000000,00000000,00000000,000000FF,00000000), ref: 01026901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0102691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00FE8874,00000000,00000000,00000000,000000FF,00000000), ref: 0102692D

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: f1a154aeba12fb1890d103ae59a0cf0d6988fdb1b93ff57a202a72aaa18c3d69
Instruction ID: c9f8aa5137c2875dffb99097cafd85f3a852c5e8b6d8851880593741f11f4258
Opcode Fuzzy Hash: f1a154aeba12fb1890d103ae59a0cf0d6988fdb1b93ff57a202a72aaa18c3d69
Instruction Fuzzy Hash: 0651AE70600645EFEB20DF25CC41FAA7BF5FB88350F104618F996972A0DBB6E991EB50

Function 0104C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0104C182
GetLastError.KERNEL32 ref: 0104C195
SetEvent.KERNEL32(?), ref: 0104C1A9

Part of subcall function 0104C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0104C272
Part of subcall function 0104C253: GetLastError.KERNEL32 ref: 0104C322
Part of subcall function 0104C253: SetEvent.KERNEL32(?), ref: 0104C336
Part of subcall function 0104C253: InternetCloseHandle.WININET(00000000), ref: 0104C341

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: ffbe7c3b0d012973f3a46a118fa097a6e715a8e199554fe7851939e05949692c
Instruction ID: 5ea08834ba652fd1c64b1b9c14f067cdd0380a099a3e12143f21e4c0e5511c3b
Opcode Fuzzy Hash: ffbe7c3b0d012973f3a46a118fa097a6e715a8e199554fe7851939e05949692c
Instruction Fuzzy Hash: 663183B1502641BFFB219FB5DB84A6A7BF8FF14200B04442DF9DA82624D775E4149B60

Function 010325A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 01033A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01033A57
Part of subcall function 01033A3D: GetCurrentThreadId.KERNEL32 ref: 01033A5E
Part of subcall function 01033A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010325B3), ref: 01033A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 010325BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 010325DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 010325DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 010325E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 01032601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 01032605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0103260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 01032623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 01032627

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e3fe75068930df16e1f5a3bf67cecf61145b31438d232c42754c469bb12ebf41
Instruction ID: a922baef9f9ff51c80b84c6404d31512fd2013c71746be5143616ed0767c744a
Opcode Fuzzy Hash: e3fe75068930df16e1f5a3bf67cecf61145b31438d232c42754c469bb12ebf41
Instruction Fuzzy Hash: 8401D830790610BBFB2076689C8AF593F5DDF8EB11F100001F394AE0D4C9F224458B69

Function 01031803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,01031449,?,?,00000000), ref: 0103180C
HeapAlloc.KERNEL32(00000000,?,01031449,?,?,00000000), ref: 01031813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01031449,?,?,00000000), ref: 01031828
GetCurrentProcess.KERNEL32(?,00000000,?,01031449,?,?,00000000), ref: 01031830
DuplicateHandle.KERNEL32(00000000,?,01031449,?,?,00000000), ref: 01031833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01031449,?,?,00000000), ref: 01031843
GetCurrentProcess.KERNEL32(01031449,00000000,?,01031449,?,?,00000000), ref: 0103184B
DuplicateHandle.KERNEL32(00000000,?,01031449,?,?,00000000), ref: 0103184E
CreateThread.KERNEL32(00000000,00000000,01031874,00000000,00000000,00000000), ref: 01031868

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: f05c1ab3934ec78a07636650c0765e73c4546375e0666cae92870035b328b0db
Instruction ID: da59f13c231daa53d467d9427a1e4ad1374f97c6c3c58e86aeb843908d71d8d0
Opcode Fuzzy Hash: f05c1ab3934ec78a07636650c0765e73c4546375e0666cae92870035b328b0db
Instruction Fuzzy Hash: 8001A8B5240348FFF620ABA5DD49F6B3BACEB8AB11F004411FA85DB1A5CA7598008B20

Function 0105A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0103D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0103D501
Part of subcall function 0103D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0103D50F
Part of subcall function 0103D4DC: CloseHandle.KERNEL32(00000000), ref: 0103D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0105A16D
GetLastError.KERNEL32 ref: 0105A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0105A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0105A268
GetLastError.KERNEL32(00000000), ref: 0105A273
CloseHandle.KERNEL32(00000000), ref: 0105A2C4

Strings

SeDebugPrivilege, xrefs: 0105A18F

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 779dc2add59615fb39076b2afe229bce6a0e18df3419f52d1c4df6010c39de8a
Instruction ID: 778f9c987f13c35cea4a2278e8a5a057e3e7a7d90d40510e123a6f882fc919a7
Opcode Fuzzy Hash: 779dc2add59615fb39076b2afe229bce6a0e18df3419f52d1c4df6010c39de8a
Instruction Fuzzy Hash: A961B130204242DFE760DF18C495F5ABBE1AF44358F18858CE9968F7A3C776E945CB91

Function 01063886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01063925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0106393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01063954
_wcslen.LIBCMT ref: 01063999
SendMessageW.USER32(?,00001057,00000000,?), ref: 010639C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 010639F4

Strings

SysListView32, xrefs: 010638F7

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 2c4c18d4858603874de5404b69870de033aad146bbdb60bd97c31a8a31c39d68
Instruction ID: 7ab82b93cc7e284cbdcdf5a8c3f74da0305a57b280f274b1d05bcfef347be60f
Opcode Fuzzy Hash: 2c4c18d4858603874de5404b69870de033aad146bbdb60bd97c31a8a31c39d68
Instruction Fuzzy Hash: B5418271A00319ABEF219F64CC45FEA7BADFF08350F10056AF998EB291D7759980CB90

Function 0103BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0103BCFD
IsMenu.USER32(00000000), ref: 0103BD1D
CreatePopupMenu.USER32 ref: 0103BD53
GetMenuItemCount.USER32(01375DD8), ref: 0103BDA4
InsertMenuItemW.USER32(01375DD8,?,00000001,00000030), ref: 0103BDCC

Strings

0, xrefs: 0103BCA8
2, xrefs: 0103BD37

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: ad3b182be783f6f02e0d0de015f5bb7be362fd56707670eb68e1b3b37f370b4d
Instruction ID: 621e5d99bd9eea538b941377ad26c45b01d1b7b09b54f9a86efebc18ca4d2e46
Opcode Fuzzy Hash: ad3b182be783f6f02e0d0de015f5bb7be362fd56707670eb68e1b3b37f370b4d
Instruction Fuzzy Hash: B551B270A002099BEF21EFACD988BADBFFCBF85318F144199E581DB291E7709541CB52

Function 0103C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0103C913

Strings

question, xrefs: 0103C8CC
stop, xrefs: 0103C8E4
warning, xrefs: 0103C8FC
blank, xrefs: 0103C895
info, xrefs: 0103C8B4

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 00caf5ffd17d8e8e0a75de1baeea8e4e8e40bd548610bb3890630716c461cd9a
Instruction ID: 470ae78f8959afaea8e1818a7093fdecc666b8fd75ee9272e6f8c4ca1babfc9d
Opcode Fuzzy Hash: 00caf5ffd17d8e8e0a75de1baeea8e4e8e40bd548610bb3890630716c461cd9a
Instruction Fuzzy Hash: 3911EB3668930BBAFB019B559D86CAF77DCDF45360B1100AFF580FA182E7A96F006264

Function 0103ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0103ED2A
_wcslen.LIBCMT ref: 0103ED3B
_wcslen.LIBCMT ref: 0103ED79
_wcslen.LIBCMT ref: 0103EDAF
_wcslen.LIBCMT ref: 0103EDDF
_wcslen.LIBCMT ref: 0103EDEF
_wcslen.LIBCMT ref: 0103EE2B
_wcslen.LIBCMT ref: 0103EE5A

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: c5f406a3f56e1af55ce3ac0e89f022617a788e225b013364e96d467846d05838
Instruction ID: 3b231c6da6320ea9afb113cf2ef356134a5dcf7375903c5d491b94028f099d67
Opcode Fuzzy Hash: c5f406a3f56e1af55ce3ac0e89f022617a788e225b013364e96d467846d05838
Instruction Fuzzy Hash: 33419F65D1021C65CB21EBB4CC8A9DFB7ACAF85710F408566E618E3122FB38E255C3E5

Function 00FEF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0102682C,00000004,00000000,00000000), ref: 00FEF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0102682C,00000004,00000000,00000000), ref: 0102F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0102682C,00000004,00000000,00000000), ref: 0102F454

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: bc346db4eb060e702fd9b603a39f7053719e90a9221be7a047a66e6c7124e483
Instruction ID: a5b28658de1d1bdc9629fa5511fafb76d3b4b3f74f271ef21e6fbded320916ec
Opcode Fuzzy Hash: bc346db4eb060e702fd9b603a39f7053719e90a9221be7a047a66e6c7124e483
Instruction Fuzzy Hash: D9415A31A086C0BAD7398B2FCD8872E7FA1AB46360F15802DE0C757562C67AA588E711

Function 01062D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01062D1B
GetDC.USER32(00000000), ref: 01062D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01062D2E
ReleaseDC.USER32(00000000,00000000), ref: 01062D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01062D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01062D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,01065A65,?,?,000000FF,00000000,?,000000FF,?), ref: 01062DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01062DE1

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 58973c690e37be8eaba8b4d869e18e1f96a5d222a962799a103443942544d8e7
Instruction ID: 045e96b28ae87bbd34d8627fc2a8f10d220145d33d6dbcba0da19db67519903a
Opcode Fuzzy Hash: 58973c690e37be8eaba8b4d869e18e1f96a5d222a962799a103443942544d8e7
Instruction Fuzzy Hash: FA318B72201214BBFB218F548C8AFEB3FADEF09715F044055FE889A291C6BA9840C7A4

Function 01035622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 01035637
_memcmp.LIBVCRUNTIME ref: 01035659
_memcmp.LIBVCRUNTIME ref: 01035671
_memcmp.LIBVCRUNTIME ref: 01035684
_memcmp.LIBVCRUNTIME ref: 0103569E
_memcmp.LIBVCRUNTIME ref: 010356B1
_memcmp.LIBVCRUNTIME ref: 010356C9
_memcmp.LIBVCRUNTIME ref: 010356E4

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a301a688d76f2037b4d60cdc687cc3421fae333726dfb61ff0c819696e7e5c6c
Instruction ID: fe6f2512886ca7cc0a4abe80bbe5e296e1759b29bd300b355bf0cddc5cf51c4a
Opcode Fuzzy Hash: a301a688d76f2037b4d60cdc687cc3421fae333726dfb61ff0c819696e7e5c6c
Instruction Fuzzy Hash: 1B21F9B174420AB7E2155926BE92FFE339DBFA4294F040014FE859F561F724ED10D1E5

Function 01054FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 01055007
NULL Pointer assignment, xrefs: 0105502E, 01055383

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: bcdad2199d734e210eb53e4a4a837e7f377a1b1e7821b56718d7402832b7cd9f
Instruction ID: 8c2adcff9855073ed26317a6315ff6b900c54d909c4b88ce66d4d18e782113e0
Opcode Fuzzy Hash: bcdad2199d734e210eb53e4a4a837e7f377a1b1e7821b56718d7402832b7cd9f
Instruction Fuzzy Hash: 15D1A275A0020A9FDF90CF98CC80AAEBBF5BF48354F148469ED95AB281E771D945CB50

Function 01011522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,010117FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 010115CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,010117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 01011651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,010117FB,?,010117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 010116E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,010117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 010116FB

Part of subcall function 01003820: RtlAllocateHeap.NTDLL(00000000,?,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6,?,00FD1129), ref: 01003852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,010117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 01011777
__freea.LIBCMT ref: 010117A2
__freea.LIBCMT ref: 010117AE

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 7707fe4eeab04668799703d158c5c3ebae37751c5823b9ee323c4ab061d23d1a
Instruction ID: e7fdcba3b2615d9e30818f9b71ea2be4599d568b9f1cba52e1ba6a314bce97da
Opcode Fuzzy Hash: 7707fe4eeab04668799703d158c5c3ebae37751c5823b9ee323c4ab061d23d1a
Instruction Fuzzy Hash: 6A91CC71E042169FEB298E78C841AEE7BF5AF09710F1C4599EB81E7288D73DD940C7A0

Function 01054523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01054648
VariantInit.OLEAUT32(?), ref: 01054749
VariantClear.OLEAUT32(?), ref: 01054753
VariantClear.OLEAUT32(?), ref: 010547B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 010545D8, 01054706, 010547BE
Incorrect Object type in FOR..IN loop, xrefs: 0105472C

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: cc273c487ea527733c65152c34677885ca89dbe0d97e90224936718bda2e97be
Instruction ID: 89c1fed37558b0c52e7f854895ce081f7e4af0a7c86d280fe371321246e3fa21
Opcode Fuzzy Hash: cc273c487ea527733c65152c34677885ca89dbe0d97e90224936718bda2e97be
Instruction Fuzzy Hash: B7915D71A00219EBDF64CFA5C884FEFBBB8EF45714F008559E945EB281E7709985CBA0

Function 01041187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0104125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 01041284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 010412A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 010412D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0104135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 010413C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 01041430

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 949c37bd76516d39b248061f6db02db519fcb20f836f50daa5347dc5b379a650
Instruction ID: 69e08e32beeb3ac7854d5b409c17d5e9f1a90399f4e235503337a3ffd8522481
Opcode Fuzzy Hash: 949c37bd76516d39b248061f6db02db519fcb20f836f50daa5347dc5b379a650
Instruction Fuzzy Hash: BB91A1B5A00209AFEB11DF98C8C4BBE77B5FF45315F144079E680EB291DB79A981CB90

Function 00FE948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b42b90b3e78f2d888db7c36582d0caf3c8039fef3b6af53c0054a15c334768e1
Instruction ID: 811b37544c199333d590c4ab2563f325d86e7c220103c41c736b336682199125
Opcode Fuzzy Hash: b42b90b3e78f2d888db7c36582d0caf3c8039fef3b6af53c0054a15c334768e1
Instruction Fuzzy Hash: 52916871D04219EFDB10CFAACC84AEEBBB8FF49320F148449E555B7251D3B8AA41DB60

Function 01053947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0105396B
CharUpperBuffW.USER32(?,?), ref: 01053A7A
_wcslen.LIBCMT ref: 01053A8A
VariantClear.OLEAUT32(?), ref: 01053C1F

Part of subcall function 01040CDF: VariantInit.OLEAUT32(00000000), ref: 01040D1F
Part of subcall function 01040CDF: VariantCopy.OLEAUT32(?,?), ref: 01040D28
Part of subcall function 01040CDF: VariantClear.OLEAUT32(?), ref: 01040D34

Strings

Incorrect Parameter format, xrefs: 010539A6, 01053BA1
AUTOIT.ERROR, xrefs: 01053A80, 01053A85

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 482fcd16192fa722126449b339c02e4309f70af060b84fbc3069d24eae908820
Instruction ID: c6795db04b5f77a381133ffc3403ce27d3a29ede6da26cf33a1d5dd1e5c231fd
Opcode Fuzzy Hash: 482fcd16192fa722126449b339c02e4309f70af060b84fbc3069d24eae908820
Instruction Fuzzy Hash: E5915775A083059FCB40DF28C88096ABBE5BF88354F04896EF9899B351DB35ED45CB92

Function 01054BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0103000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?,?,0103035E), ref: 0103002B
Part of subcall function 0103000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?), ref: 01030046
Part of subcall function 0103000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?), ref: 01030054
Part of subcall function 0103000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?), ref: 01030064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 01054C51
_wcslen.LIBCMT ref: 01054D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 01054DCF
CoTaskMemFree.OLE32(?), ref: 01054DDA

Strings

NULL Pointer assignment, xrefs: 01054E23, 01054E52

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: bde510c4b02b68f38242f0a54d021c507ed9eeded5cc2d98757ca16cd1043d9c
Instruction ID: 9800d67f19fda851104d9cb3db59c05eb471f059b2c1ae28cce22a8ba8247cb0
Opcode Fuzzy Hash: bde510c4b02b68f38242f0a54d021c507ed9eeded5cc2d98757ca16cd1043d9c
Instruction Fuzzy Hash: 77914771D0021DAFDF20DFA4DC90AEEBBB9BF48310F10816AE955A7251EB749A44DF60

Function 010620FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 01062183
GetMenuItemCount.USER32(00000000), ref: 010621B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 010621DD
_wcslen.LIBCMT ref: 01062213
GetMenuItemID.USER32(?,?), ref: 0106224D
GetSubMenu.USER32(?,?), ref: 0106225B

Part of subcall function 01033A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01033A57
Part of subcall function 01033A3D: GetCurrentThreadId.KERNEL32 ref: 01033A5E
Part of subcall function 01033A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010325B3), ref: 01033A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 010622E3

Part of subcall function 0103E97B: Sleep.KERNEL32 ref: 0103E9F3

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 142ce86041f8c34a230e1c05ae476200b365bc3327e7c2bf0e9984b952cff4b9
Instruction ID: 1bacc85326933825c6ed706574697fdb211d4470e83537e660c48c8a70184506
Opcode Fuzzy Hash: 142ce86041f8c34a230e1c05ae476200b365bc3327e7c2bf0e9984b952cff4b9
Instruction Fuzzy Hash: 65717075E00206EFCB10DF68C845AAEBBF9EF88310F148499E996EB351D735E9418B90

Function 0103AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0103AEF9
GetKeyboardState.USER32(?), ref: 0103AF0E
SetKeyboardState.USER32(?), ref: 0103AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0103AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0103AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0103AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0103B020

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: cf5bf3758e9a5a4bcb43ce60a46702a6a8a81425b0c7367a4ee94df527f5348a
Instruction ID: dcdda6f7b8d5dd6210e18cc905720b2ff74d97c2e9c4dc556c3f0da4a5511b48
Opcode Fuzzy Hash: cf5bf3758e9a5a4bcb43ce60a46702a6a8a81425b0c7367a4ee94df527f5348a
Instruction Fuzzy Hash: 8951E3A06047D57DFB764238C845BBABEED5B86308F0885C9F2D9964D2C3D9A8C4D760

Function 0103ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0103AD19
GetKeyboardState.USER32(?), ref: 0103AD2E
SetKeyboardState.USER32(?), ref: 0103AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0103ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0103ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0103AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0103AE38

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 255f225906d6ab0f09de3dd24de045f067bedda0c890e9a3470957a80f589702
Instruction ID: 527a20a00bd03e8878412d67805cb697a3a877bf4b6827a311a0279fb4720fc8
Opcode Fuzzy Hash: 255f225906d6ab0f09de3dd24de045f067bedda0c890e9a3470957a80f589702
Instruction Fuzzy Hash: E451E7A17047D57EFB379238CC59BBA7EDC5B86304F0885C8E1D6874C2D294E884D760

Function 0100542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(01013CD6,?,?,?,?,?,?,?,?,01005BA3,?,?,01013CD6,?,?), ref: 01005470
__fassign.LIBCMT ref: 010054EB
__fassign.LIBCMT ref: 01005506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,01013CD6,00000005,00000000,00000000), ref: 0100552C
WriteFile.KERNEL32(?,01013CD6,00000000,01005BA3,00000000,?,?,?,?,?,?,?,?,?,01005BA3,?), ref: 0100554B
WriteFile.KERNEL32(?,?,00000001,01005BA3,00000000,?,?,?,?,?,?,?,?,?,01005BA3,?), ref: 01005584

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: b8b5f39179328974c68b370caee3b259fce603fb6ad279ee87e42dadb21aaa67
Instruction ID: fad42c17f26f2de9184f950cc57bf5853d17be7232e586263fee1967f89829d6
Opcode Fuzzy Hash: b8b5f39179328974c68b370caee3b259fce603fb6ad279ee87e42dadb21aaa67
Instruction Fuzzy Hash: 6451BF70A002499FEB22CFA8DC55AEEBBF9EF09301F14415AF995E7291D6319A41CF60

Function 00FF2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00FF2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00FF2D53
_ValidateLocalCookies.LIBCMT ref: 00FF2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00FF2E0C
_ValidateLocalCookies.LIBCMT ref: 00FF2E61

Strings

csm, xrefs: 00FF2DF6

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: f7bd6224d96904da030aadefab687ddf5dcda9ae10034af94941dfcf4f3fcf99
Instruction ID: 569ab40d31e24c7b9c3318080b1d97128085cae5f8a2f9048d7c8a1095877188
Opcode Fuzzy Hash: f7bd6224d96904da030aadefab687ddf5dcda9ae10034af94941dfcf4f3fcf99
Instruction Fuzzy Hash: D041B335E0020DABCF10DF68CC95ABEBBB5BF45324F148155EA14AB362D7399A05DB90

Function 010510B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0105304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0105307A
Part of subcall function 0105304E: _wcslen.LIBCMT ref: 0105309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 01051112
WSAGetLastError.WSOCK32 ref: 01051121
WSAGetLastError.WSOCK32 ref: 010511C9
closesocket.WSOCK32(00000000), ref: 010511F9

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 411542f2f83e35a9e5a7ddb458f99071b3a99d5b089bd39ab6b739c7827533c6
Instruction ID: 5fea2a7d6d14d5c539a584ddd55500b57e396f4fc6805ccc21446e9a50d18906
Opcode Fuzzy Hash: 411542f2f83e35a9e5a7ddb458f99071b3a99d5b089bd39ab6b739c7827533c6
Instruction Fuzzy Hash: 03412B31600204AFEB609F28C844BAEBBE9FF45364F048099FC959B295C779ED41CBE5

Function 0103CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0103DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0103CF22,?), ref: 0103DDFD

Part of subcall function 0103DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0103CF22,?), ref: 0103DE16

lstrcmpiW.KERNEL32(?,?), ref: 0103CF45
MoveFileW.KERNEL32(?,?), ref: 0103CF7F
_wcslen.LIBCMT ref: 0103D005
_wcslen.LIBCMT ref: 0103D01B
SHFileOperationW.SHELL32(?), ref: 0103D061

Strings

\*.*, xrefs: 0103CFF3

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 8e44ea0315bece9f24bc4e345bc45ebdd13d103dd408e6ba2c102f6f2bddf1d5
Instruction ID: c46a69caed7f51650b2f80320c10e0511cd6f057aa9aa5a569cc2b371a3dcd2a
Opcode Fuzzy Hash: 8e44ea0315bece9f24bc4e345bc45ebdd13d103dd408e6ba2c102f6f2bddf1d5
Instruction Fuzzy Hash: 774155719052195FEF52EBA4DA81ADEB7FCAF58380F0000E6E689EB141EB35A744CF50

Function 01062DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01062E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 01062E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 01062E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 01062EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 01062EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 01062EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 01062F0B

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 66c3990766660ded6639d2566ccc3282cde3b4ecf59a489a48a07bacbf70ea5a
Instruction ID: 6c21fb142d4c51ca54f652e7aa93b939937cd6b8b8fa6433dea680f642455f71
Opcode Fuzzy Hash: 66c3990766660ded6639d2566ccc3282cde3b4ecf59a489a48a07bacbf70ea5a
Instruction Fuzzy Hash: 57312430644241AFEB21CF5CDD84FA537E8FB9A710F1501A5FA908F2A6CB76A840CB01

Function 01037726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01037769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0103778F
SysAllocString.OLEAUT32(00000000), ref: 01037792
SysAllocString.OLEAUT32(?), ref: 010377B0
SysFreeString.OLEAUT32(?), ref: 010377B9
StringFromGUID2.OLE32(?,?,00000028), ref: 010377DE
SysAllocString.OLEAUT32(?), ref: 010377EC

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: db02726c772ca753a3445e64f863876a16afdacb071127dd046fff1a8b728565
Instruction ID: fd97319947ae23b3632598ee0d9cc216ec98d91217a4c3d1fed49129191456c0
Opcode Fuzzy Hash: db02726c772ca753a3445e64f863876a16afdacb071127dd046fff1a8b728565
Instruction Fuzzy Hash: CB21B0B6604219AFEB11DEADCC88CBB77ECFB492647008066FA84DB251DA74DC41C760

Function 010377FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01037842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01037868
SysAllocString.OLEAUT32(00000000), ref: 0103786B
SysAllocString.OLEAUT32 ref: 0103788C
SysFreeString.OLEAUT32 ref: 01037895
StringFromGUID2.OLE32(?,?,00000028), ref: 010378AF
SysAllocString.OLEAUT32(?), ref: 010378BD

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b2a3bb50461f97d03372da4702b40f67f7c5ea58232d81baac1ae0034b67ba74
Instruction ID: ae540356ce52488a77f3e5e18288388e7c4b10473fa9a1eedb0b2bf597bb381e
Opcode Fuzzy Hash: b2a3bb50461f97d03372da4702b40f67f7c5ea58232d81baac1ae0034b67ba74
Instruction Fuzzy Hash: 5C21C171600204AFEB209FADCC88DAA77ECEB493607008025F994CB2A5DA74DC41CB74

Function 010405A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 010405C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01040601

Strings

nul, xrefs: 01040639

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ef4b12637e06ce83b6b084f7124312954b881a18fffddc972ef6e0d50ced975d
Instruction ID: 5629ebd9f968070f5f2e4bac6c63070a570510135bdc593f4756577f3f44d98c
Opcode Fuzzy Hash: ef4b12637e06ce83b6b084f7124312954b881a18fffddc972ef6e0d50ced975d
Instruction Fuzzy Hash: 2121A6B55003059BEB209F6DC884ADA7BE4AF89724F304A69FEE2F72D8D7719540CB50

Function 010404D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 010404F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0104052E

Strings

nul, xrefs: 01040567

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 38482ca61c329aa4e2e6dd96a007a00bb4e832336d839d5d4c0931a3eb4116d7
Instruction ID: 83678e57a6ddbc2e328ecf78d4c0ad81e1b4fd4a7a237ef8ec0ae845722d4255
Opcode Fuzzy Hash: 38482ca61c329aa4e2e6dd96a007a00bb4e832336d839d5d4c0931a3eb4116d7
Instruction Fuzzy Hash: 362171F1500305EBEB209F29D884ADB7BE4EF45724F104A69FAE1E71E8D7719540CB60

Function 010640AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FD604C
Part of subcall function 00FD600E: GetStockObject.GDI32(00000011), ref: 00FD6060
Part of subcall function 00FD600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FD606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01064112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0106411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0106412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01064139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01064145

Strings

Msctls_Progress32, xrefs: 010640E3

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 9a91ac2beabc28fa7d2c859cf71c9d82dc3e29ebc422f3c6db6d44c4dff798c9
Instruction ID: bdfef38d8b799715c2954b65a0b2d36d129f15237c00b003779cc64aef258c7f
Opcode Fuzzy Hash: 9a91ac2beabc28fa7d2c859cf71c9d82dc3e29ebc422f3c6db6d44c4dff798c9
Instruction Fuzzy Hash: FE1182B215021ABEFF219E64CC85EEB7F9DEF08798F014111FA58E6150C6769C21DBA4

Function 0100D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0100D7A3: _free.LIBCMT ref: 0100D7CC

_free.LIBCMT ref: 0100D82D

Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0

_free.LIBCMT ref: 0100D838
_free.LIBCMT ref: 0100D843
_free.LIBCMT ref: 0100D897
_free.LIBCMT ref: 0100D8A2
_free.LIBCMT ref: 0100D8AD
_free.LIBCMT ref: 0100D8B8

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 3aac571e8af34bbd681cc50084bb9e42a53d80b87334a38304f0e981b84b7aa9
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 6B113771940B45AAFA23BFF4CC49FCB7BDCBF60700F400825A2DDA60D0EA65B5058762

Function 0103DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0103DA74
LoadStringW.USER32(00000000), ref: 0103DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0103DA91
LoadStringW.USER32(00000000), ref: 0103DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0103DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0103DAB9

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 4f69e2289048aee5f8d6ddf4c5f69f9c349e19f5920e47cfc2b3776aa9d67908
Instruction ID: a5ea3365a5f75a751a209cc0b3122f74cd054001c93f04fe16f3851707d37cea
Opcode Fuzzy Hash: 4f69e2289048aee5f8d6ddf4c5f69f9c349e19f5920e47cfc2b3776aa9d67908
Instruction Fuzzy Hash: D70162F2500208BFF7109BE49E89EEB376CE708301F400496F7C6E6045EA799E844B74

Function 0104096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0136EBE8,0136EBE8), ref: 0104097B
EnterCriticalSection.KERNEL32(0136EBC8,00000000), ref: 0104098D
TerminateThread.KERNEL32(01369DF0,000001F6), ref: 0104099B
WaitForSingleObject.KERNEL32(01369DF0,000003E8), ref: 010409A9
CloseHandle.KERNEL32(01369DF0), ref: 010409B8
InterlockedExchange.KERNEL32(0136EBE8,000001F6), ref: 010409C8
LeaveCriticalSection.KERNEL32(0136EBC8), ref: 010409CF

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 124301a2afd15fccd5d589ee976a6a5d34fd9a63013c37bda1b6ae31525924c0
Instruction ID: 2a4db53aa06f65736638d93bfa1513b93368d33f20ae90b57cc5301fbd0b7500
Opcode Fuzzy Hash: 124301a2afd15fccd5d589ee976a6a5d34fd9a63013c37bda1b6ae31525924c0
Instruction Fuzzy Hash: B5F01D31442512BBF7615BA4EF88AD67A25BF01702F401025F281608A8C77A9465CFA0

Function 01051C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 01051DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01051DE1
WSAGetLastError.WSOCK32 ref: 01051DF2
htons.WSOCK32(?,?,?,?,?), ref: 01051EDB
inet_ntoa.WSOCK32(?), ref: 01051E8C

Part of subcall function 010339E8: _strlen.LIBCMT ref: 010339F2

Part of subcall function 01053224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0104EC0C), ref: 01053240

_strlen.LIBCMT ref: 01051F35

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: b16b89b252fee3dc724617bd0a34a05537121980151cc22211a159471f31e82f
Instruction ID: 699f4ccb9ae05673ee3347926c479e938a91a487773d86b785a92d8dcbd292d2
Opcode Fuzzy Hash: b16b89b252fee3dc724617bd0a34a05537121980151cc22211a159471f31e82f
Instruction Fuzzy Hash: 4BB1BF30204340AFD764DF24C885F2A7BE5AF94318F58858DF9965B2A2CB75ED42CB91

Function 010001B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 010000BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010000D6
__allrem.LIBCMT ref: 010000ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0100010B
__allrem.LIBCMT ref: 01000122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01000140

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 1c8448dce8cc15a174d1d1ffe8294a1e8b22dd9f4545ed7bf929efcdd96bbd19
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 70811676A00B069BF7269E78CC40BAB73E9AF51764F24463EF691D72D0E774D9008B90

Function 010061FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00FF82D9,00FF82D9,?,?,?,0100644F,00000001,00000001,8BE85006), ref: 01006258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0100644F,00000001,00000001,8BE85006,?,?,?), ref: 010062DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 010063D8
__freea.LIBCMT ref: 010063E5

Part of subcall function 01003820: RtlAllocateHeap.NTDLL(00000000,?,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6,?,00FD1129), ref: 01003852

__freea.LIBCMT ref: 010063EE
__freea.LIBCMT ref: 01006413

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 7034a82da91fcac003f688c616e2d4ef6f98624b6124d1c98923a4d114a2e252
Instruction ID: 3a167b4512316bd94e8d1b5198120e3360e9c942e8fa05175ecf796e2b43383e
Opcode Fuzzy Hash: 7034a82da91fcac003f688c616e2d4ef6f98624b6124d1c98923a4d114a2e252
Instruction Fuzzy Hash: DD51E872600216AFFB274E64CC81EAF7BEAEF44650F158269FD45DA1C0DB36DC50C6A0

Function 0105BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

Part of subcall function 0105C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0105B6AE,?,?), ref: 0105C9B5
Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105C9F1
Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA68
Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0105BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0105BD25
RegCloseKey.ADVAPI32(00000000), ref: 0105BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0105BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0105BDF3
RegCloseKey.ADVAPI32(?), ref: 0105BDFF

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 270f6f2299be7d553b9a2247e297e7cabc75c17e1fdcce6eed0bc684fddeac8f
Instruction ID: 5069ca4d37dda5d075f4a7ee905dfac34f16be41df8998abe0669ea1489bd471
Opcode Fuzzy Hash: 270f6f2299be7d553b9a2247e297e7cabc75c17e1fdcce6eed0bc684fddeac8f
Instruction Fuzzy Hash: 5581B330208241AFD754EF24C895E2BBBE6FF84308F18459DF5954B2A2DB35ED05DB92

Function 0102F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0102F7B9
SysAllocString.OLEAUT32(00000001), ref: 0102F860
VariantCopy.OLEAUT32(0102FA64,00000000), ref: 0102F889
VariantClear.OLEAUT32(0102FA64), ref: 0102F8AD
VariantCopy.OLEAUT32(0102FA64,00000000), ref: 0102F8B1
VariantClear.OLEAUT32(?), ref: 0102F8BB

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 063b8aa6cb9741d57956e31117dd4e3a12747581d8e99c263ee0d83582816d24
Instruction ID: a4d9d89b52ec5642ae68895a76ff8ab95ee46fc4f47528a40885e237d80ba23b
Opcode Fuzzy Hash: 063b8aa6cb9741d57956e31117dd4e3a12747581d8e99c263ee0d83582816d24
Instruction Fuzzy Hash: 7851E331600322BADF20AF65D884B6DB3F9EF45350F24845BE986DF295DBB49C40CB96

Function 0104910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00FD7620: _wcslen.LIBCMT ref: 00FD7625

Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 010494E5
_wcslen.LIBCMT ref: 01049506
_wcslen.LIBCMT ref: 0104952D
GetSaveFileNameW.COMDLG32(00000058), ref: 01049585

Strings

X, xrefs: 01049412

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 2e6dd4e1419ec78a3f782344b465e5db8c2629c72aff3306290756ad0e679c46
Instruction ID: 42465ca81f31589b0cf966817e7466fd51700674d7dce6c092d2df69ae5c90e9
Opcode Fuzzy Hash: 2e6dd4e1419ec78a3f782344b465e5db8c2629c72aff3306290756ad0e679c46
Instruction Fuzzy Hash: 59E180716083418FD724DF24C881A6AB7E5BF89314F18857DF9899B3A2DB35ED04CB92

Function 00FE920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2

BeginPaint.USER32(?,?,?), ref: 00FE9241
GetWindowRect.USER32(?,?), ref: 00FE92A5
ScreenToClient.USER32(?,?), ref: 00FE92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00FE92D3
EndPaint.USER32(?,?,?,?,?), ref: 00FE9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 010271EA

Part of subcall function 00FE9339: BeginPath.GDI32(00000000), ref: 00FE9357

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: a86b0d2afc63f70f74122dcebd6a45e2fcaa2463dd5c3e273236913751886bbd
Instruction ID: 8bdb5b02df2c3b221a83173b7b870337f9abee4d4af85e26a70d13e67f4b1e3c
Opcode Fuzzy Hash: a86b0d2afc63f70f74122dcebd6a45e2fcaa2463dd5c3e273236913751886bbd
Instruction Fuzzy Hash: 2941B031108340AFD721DF29C884FAA7BE9EF59320F140269FAE4871E1C7769845EB62

Function 010407EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0104080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 01040847
EnterCriticalSection.KERNEL32(?), ref: 01040863
LeaveCriticalSection.KERNEL32(?), ref: 010408DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 010408F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 01040921

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: ae2c7cc5ae28c645a37fd7dc67861bc3a36a9578c47eea84c14178c2e13e97c5
Instruction ID: 7ebaed5da5dffe4992cf38ba1de04780f5fa6b661751ada75dad63d6d51428ef
Opcode Fuzzy Hash: ae2c7cc5ae28c645a37fd7dc67861bc3a36a9578c47eea84c14178c2e13e97c5
Instruction Fuzzy Hash: FA418B71900205EBEF159F54DC81AAA77B9FF04300F1080B9EE40AA29ADB35EE54DBA0

Function 010681DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0102F3AB,00000000,?,?,00000000,?,0102682C,00000004,00000000,00000000), ref: 0106824C
EnableWindow.USER32(00000000,00000000), ref: 01068272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 010682D1
ShowWindow.USER32(00000000,00000004), ref: 010682E5
EnableWindow.USER32(00000000,00000001), ref: 0106830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0106832F

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 939b55ca83048ae0befaa9515c43db00b4441fe11bdd575178f162aa8b62ffb7
Instruction ID: 54e64c139bba0a142953740dc92a6add78b4eed3eb48e958ab5c07680367ec67
Opcode Fuzzy Hash: 939b55ca83048ae0befaa9515c43db00b4441fe11bdd575178f162aa8b62ffb7
Instruction Fuzzy Hash: 6441B634601745AFEB62CF19C989BE47FE4FB0A714F1881EAE6D84F262C336A441CB50

Function 010522DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 010522E8

Part of subcall function 0104E4EC: GetWindowRect.USER32(?,?), ref: 0104E504

GetDesktopWindow.USER32 ref: 01052312
GetWindowRect.USER32(00000000), ref: 01052319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 01052355
GetCursorPos.USER32(?), ref: 01052381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 010523DF

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 542bb78cffd5feabcf9aada93cdfc9aff8896332d0c6ee7281101e72126dc520
Instruction ID: fb712ea66b6ff7a061fb2e3469481fd9ea4cc56bafbdea92a209e2d1a8353333
Opcode Fuzzy Hash: 542bb78cffd5feabcf9aada93cdfc9aff8896332d0c6ee7281101e72126dc520
Instruction Fuzzy Hash: 6E31C072504305AFD760DF58C848B9BBBE9FF88314F004A1AF9C597191DB35EA08CB92

Function 01034C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 01034C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 01034CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 01034CEA
_wcslen.LIBCMT ref: 01034D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 01034D10
_wcsstr.LIBVCRUNTIME ref: 01034D1A

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 7538a13506302214c172a3c256535b85a331e6933a119d42d3c7ffc6c83a40bf
Instruction ID: fc479a51ffd4a766ff670bf78b32f8ef197dc03479a174e6cf9ebbb90817b806
Opcode Fuzzy Hash: 7538a13506302214c172a3c256535b85a331e6933a119d42d3c7ffc6c83a40bf
Instruction Fuzzy Hash: F52129316042047BFB656B3AAC49E7F7BDCDF89750F008069F845CE192DAB5DC0097A0

Function 0104581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD3A97,?,?,00FD2E7F,?,?,?,00000000), ref: 00FD3AC2

_wcslen.LIBCMT ref: 0104587B
CoInitialize.OLE32(00000000), ref: 01045995
CoCreateInstance.OLE32(0106FCF8,00000000,00000001,0106FB68,?), ref: 010459AE
CoUninitialize.OLE32 ref: 010459CC

Strings

.lnk, xrefs: 01045876, 010458C1, 01045985

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: ff8d6d51fd2cdf5023cbf429a1e52b7a3de96c9b9dd12fde445c47ae2991367d
Instruction ID: ddfc788cf2ff8b5001fb792ebe2b5688c90250e6728dfbb9a3bab24246383dcf
Opcode Fuzzy Hash: ff8d6d51fd2cdf5023cbf429a1e52b7a3de96c9b9dd12fde445c47ae2991367d
Instruction Fuzzy Hash: 48D156B56083019FC714DF19C880A2ABBE6FF89710F1449ADF9899B361DB35EC45CB92

Function 0103175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01030FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01030FCA
Part of subcall function 01030FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01030FD6
Part of subcall function 01030FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01030FE5
Part of subcall function 01030FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01030FEC
Part of subcall function 01030FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01031002

GetLengthSid.ADVAPI32(?,00000000,01031335), ref: 010317AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 010317BA
HeapAlloc.KERNEL32(00000000), ref: 010317C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 010317DA
GetProcessHeap.KERNEL32(00000000,00000000,01031335), ref: 010317EE
HeapFree.KERNEL32(00000000), ref: 010317F5

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 80b8eae80b52a6c8674bd4fd3173df2fa50cc5790254e11ccd723589797f8b2e
Instruction ID: 558bc568c3ddf808af11b61e11b2dedbb70d8004c63ab96f5a7dcd02251b1634
Opcode Fuzzy Hash: 80b8eae80b52a6c8674bd4fd3173df2fa50cc5790254e11ccd723589797f8b2e
Instruction Fuzzy Hash: 6111AC31500205EFEB219FA8CD48BAE7BFDFB8A255F184098F5C197210C73AA944CB60

Function 010314CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 010314FF
OpenProcessToken.ADVAPI32(00000000), ref: 01031506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 01031515
CloseHandle.KERNEL32(00000004), ref: 01031520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0103154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 01031563

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 13d023494e00224705a1685ab9a680c78ef5c1f76226a1bcfafeb414c2a6b1a1
Instruction ID: f3e68c806847c65b5716ce16324900978a80f54c7a13ffb0cfa153ca8e73e3e3
Opcode Fuzzy Hash: 13d023494e00224705a1685ab9a680c78ef5c1f76226a1bcfafeb414c2a6b1a1
Instruction Fuzzy Hash: 71112972500249EBEF218F98DE49BDE7BADFF49744F044055FA85A20A0C37A8E61DB60

Function 00FF3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00FF3379,00FF2FE5), ref: 00FF3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00FF339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00FF33B7
SetLastError.KERNEL32(00000000,?,00FF3379,00FF2FE5), ref: 00FF3409

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 93ab0a6499906dcd8721f83fd9615e751c813c559de9aa87b4f8e0945a8a140b
Instruction ID: 9692ba7b59d1561f7dc7af28b5902b93cd4b8a4b4edde3b75feae4592cf539e4
Opcode Fuzzy Hash: 93ab0a6499906dcd8721f83fd9615e751c813c559de9aa87b4f8e0945a8a140b
Instruction Fuzzy Hash: 5D012433A083297EBA3566747D99A773A94EF463B9B200229F760802F4EF1B4E117244

Function 01002D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,01005686,01013CD6,?,00000000,?,01005B6A,?,?,?,?,?,00FFE6D1,?,01098A48), ref: 01002D78
_free.LIBCMT ref: 01002DAB
_free.LIBCMT ref: 01002DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00FFE6D1,?,01098A48,00000010,00FD4F4A,?,?,00000000,01013CD6), ref: 01002DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00FFE6D1,?,01098A48,00000010,00FD4F4A,?,?,00000000,01013CD6), ref: 01002DEC
_abort.LIBCMT ref: 01002DF2

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 12a32c8aef166174ad8a3f15ebaf6cb1ee1c2c6879bf9f284002d0c477e37dca
Instruction ID: ab43fa3fc45d84008193599a5e874e7cda03b1ca8a7636f5b9baa96acc868ffb
Opcode Fuzzy Hash: 12a32c8aef166174ad8a3f15ebaf6cb1ee1c2c6879bf9f284002d0c477e37dca
Instruction Fuzzy Hash: 74F02832508A022BF6633238BC0CE9E2999BFD26A0F25041AF9E4D61D4EF298C018360

Function 01068A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00FE9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FE9693
Part of subcall function 00FE9639: SelectObject.GDI32(?,00000000), ref: 00FE96A2
Part of subcall function 00FE9639: BeginPath.GDI32(?), ref: 00FE96B9
Part of subcall function 00FE9639: SelectObject.GDI32(?,00000000), ref: 00FE96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 01068A4E
LineTo.GDI32(?,00000003,00000000), ref: 01068A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 01068A70
LineTo.GDI32(?,00000000,00000003), ref: 01068A80
EndPath.GDI32(?), ref: 01068A90
StrokePath.GDI32(?), ref: 01068AA0

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: e2c2d96fb0feab8e0e358713395c2a26bcca0d28bc69b22b2dab7d9cc41f6b0e
Instruction ID: 3480b82e0694cb24b77229cd34e5b4cbea4706829f4cbea44fd5649c4430f7c8
Opcode Fuzzy Hash: e2c2d96fb0feab8e0e358713395c2a26bcca0d28bc69b22b2dab7d9cc41f6b0e
Instruction Fuzzy Hash: 5D110C76000108BFFF119F94DC48E9A7FACEB09350F008052FA9599164C7769D55DB60

Function 010351FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 01035218
GetDeviceCaps.GDI32(00000000,00000058), ref: 01035229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01035230
ReleaseDC.USER32(00000000,00000000), ref: 01035238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0103524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 01035261

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: cd87afcb1a6d0b765d39cab5a63217742668fd722c4a774edd683a0a66a4d7a7
Instruction ID: 68249d87751a3c9c797a24c7ff949f1577691710a509bda62e2230c038e9af23
Opcode Fuzzy Hash: cd87afcb1a6d0b765d39cab5a63217742668fd722c4a774edd683a0a66a4d7a7
Instruction Fuzzy Hash: B601A275E00719BBFB109BE59D49E4EBFB8EF49351F044066FA85AB290D6719C00CFA0

Function 00FD1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FD1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00FD1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FD1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FD1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00FD1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FD1C22

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: d545b0fbb7c29e11de79f1be4b4f12215da61d8c3b6879725a5f97f67f062afe
Instruction ID: 559cefd6f6aa8e7e9fd627a210b00ced7d268c84d5319b4227cddb4e9296aa32
Opcode Fuzzy Hash: d545b0fbb7c29e11de79f1be4b4f12215da61d8c3b6879725a5f97f67f062afe
Instruction Fuzzy Hash: B60144B0902B5ABDE3008F6A8C85A52FEA8FF19354F00411BA15C4BA42C7B5A864CBE5

Function 0103EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0103EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0103EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0103EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0103EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0103EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0103EB75

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 62db7f1c7552a53eaeb4e56a77ec4cc1e32e16e34acf467a695ec815c96b4c51
Instruction ID: 3220390c6783093f670d22fbef60852efecbfe5e9880a61d94b404f8aad2f36e
Opcode Fuzzy Hash: 62db7f1c7552a53eaeb4e56a77ec4cc1e32e16e34acf467a695ec815c96b4c51
Instruction Fuzzy Hash: DDF01D72140158BBE63166529D0DEAB3A7CEFCAB11F000158F682D509496A96A0187B5

Function 01027439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 01027452
SendMessageW.USER32(?,00001328,00000000,?), ref: 01027469
GetWindowDC.USER32(?), ref: 01027475
GetPixel.GDI32(00000000,?,?), ref: 01027484
ReleaseDC.USER32(?,00000000), ref: 01027496
GetSysColor.USER32(00000005), ref: 010274B0

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: f8433fc801ba9806f3fc7422b6a45fe0f4e63d725bf7e4c4ab8550fe76cc4c62
Instruction ID: d1ea2c752d4f5a9b1daaeae92d9e41f170d3836cb2c0f5a8b9be7c4a552164da
Opcode Fuzzy Hash: f8433fc801ba9806f3fc7422b6a45fe0f4e63d725bf7e4c4ab8550fe76cc4c62
Instruction Fuzzy Hash: A2018B32400215EFEB615FA4DD08BAA7BB5FB08311F504060F995A21A1CF362E41AB50

Function 01031874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0103187F
UnloadUserProfile.USERENV(?,?), ref: 0103188B
CloseHandle.KERNEL32(?), ref: 01031894
CloseHandle.KERNEL32(?), ref: 0103189C
GetProcessHeap.KERNEL32(00000000,?), ref: 010318A5
HeapFree.KERNEL32(00000000), ref: 010318AC

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 2e3ae3694011864b14601f1f5bc6973858154083c3605309392da687ffe0bff8
Instruction ID: cf7bafdbbb6c3cc3c6b2cd74de9075459d38d79affe57994d5bd46a60b3307ef
Opcode Fuzzy Hash: 2e3ae3694011864b14601f1f5bc6973858154083c3605309392da687ffe0bff8
Instruction Fuzzy Hash: AEE0ED36004501FBEB116FA2EE0C905BF39FF4A7227108221F2A585078CB375420DB60

Function 0103C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD7620: _wcslen.LIBCMT ref: 00FD7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0103C6EE
_wcslen.LIBCMT ref: 0103C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0103C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0103C7CA

Strings

0, xrefs: 0103C6AF

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: a15ccadebfbfb210d4db0f6d7e1ab87698f523d3a3b3c2253066cace1a7c9835
Instruction ID: 8a678475b35cdc1f0422fa41b00895a33975a406a59c9ad98296ecc964fdd0ca
Opcode Fuzzy Hash: a15ccadebfbfb210d4db0f6d7e1ab87698f523d3a3b3c2253066cace1a7c9835
Instruction Fuzzy Hash: 6051C2716043009BF7969E28CE45A6B7BECBFC9310F04096EFAD5E2191DB74D904D752

Function 0105AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0105AEA3

Part of subcall function 00FD7620: _wcslen.LIBCMT ref: 00FD7625

GetProcessId.KERNEL32(00000000), ref: 0105AF38
CloseHandle.KERNEL32(00000000), ref: 0105AF67

Strings

@, xrefs: 0105AE72
<, xrefs: 0105AE6B

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 0780cb899328533724b4e6fe528c5e66f6cc58dbb8957865d64083a5e9b6d6f5
Instruction ID: 2bc1446f029050c4df87eb08fd289dd321cb5bb1cd8ac783c9d7caf5817d01d4
Opcode Fuzzy Hash: 0780cb899328533724b4e6fe528c5e66f6cc58dbb8957865d64083a5e9b6d6f5
Instruction Fuzzy Hash: 78718D71A00215DFCB54EF94D884A9EBBF1FF08310F08859AE856AB392D779ED41DB90

Function 0103719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 01037206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0103723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0103724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 010372CF

Strings

DllGetClassObject, xrefs: 01037242

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 6e8510c71fb41cb4717d28b3f55f5895a90966ecd18f3f45696464649d5a19ae
Instruction ID: 317d9b5ced393f815f3a96b604ae763eaa660ced7e08a2bb0de77714e5705eb7
Opcode Fuzzy Hash: 6e8510c71fb41cb4717d28b3f55f5895a90966ecd18f3f45696464649d5a19ae
Instruction Fuzzy Hash: 9C413DB1A00205EFDB25CF54C884A9A7FADEF89310F1480ADFD459F20AD7B5D944CBA0

Function 01063D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01063E35
IsMenu.USER32(?), ref: 01063E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01063E92
DrawMenuBar.USER32 ref: 01063EA5

Strings

0, xrefs: 01063D89

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: d7b0f1e40ab8c98244488ec62ec5f8f237bd54e9445dbdf8854ccc7e94d1a18d
Instruction ID: bb04cf70da7ccb075e1837914afccd464e36571a01c20e9521a39e94d37bbdad
Opcode Fuzzy Hash: d7b0f1e40ab8c98244488ec62ec5f8f237bd54e9445dbdf8854ccc7e94d1a18d
Instruction Fuzzy Hash: DF416C75A00209AFEB20DF54DC84AEABBF9FF48350F044159F9899B290D735A940CFA0

Function 01031DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

Part of subcall function 01033CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01033CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 01031E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 01031E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 01031EA9

Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A

Strings

ListBox, xrefs: 01031E25
ComboBox, xrefs: 01031DF0

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 7d6a1a862df75b83bdfa9e43c3bd4a8f38563135bebaa53413f387f088018e6b
Instruction ID: a8d820d8a5628f6da50707485e1bc3c2354945b75a164cb5f0b54a758d8b32e7
Opcode Fuzzy Hash: 7d6a1a862df75b83bdfa9e43c3bd4a8f38563135bebaa53413f387f088018e6b
Instruction Fuzzy Hash: 20213871A00108BEEB14ABA5DC45CFFBBBDEF89350B04411AF4A1A72E1DB7A59099730

Function 01062F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01062F8D
LoadLibraryW.KERNEL32(?), ref: 01062F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 01062FA9
DestroyWindow.USER32(?), ref: 01062FB1

Strings

SysAnimate32, xrefs: 01062F68

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 09e7cd5f7c87dd4362e4def5292bf059218c8baaff41e5f0dca3b9502857d34e
Instruction ID: bf04ae74d7c22422626a5dfe4bab039b9f06802b98fcf13707bc302407b8cee2
Opcode Fuzzy Hash: 09e7cd5f7c87dd4362e4def5292bf059218c8baaff41e5f0dca3b9502857d34e
Instruction Fuzzy Hash: 0E21CD72204209ABEF218FA8DC80EBB37EDEF49364F104629FAD0D6195D771DC519760

Function 00FF4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00FF4D1E,010028E9,?,00FF4CBE,010028E9,010988B8,0000000C,00FF4E15,010028E9,00000002), ref: 00FF4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FF4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00FF4D1E,010028E9,?,00FF4CBE,010028E9,010988B8,0000000C,00FF4E15,010028E9,00000002,00000000), ref: 00FF4DC3

Strings

mscoree.dll, xrefs: 00FF4D86
CorExitProcess, xrefs: 00FF4D98

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2c62f88320cfa4c10b01eab3be737b0852af885945167f3701a1160a33231e64
Instruction ID: 7bf1decf2e549fd073ddcfb205bc04de0baba1e36d803bb84dc5b745f9cea217
Opcode Fuzzy Hash: 2c62f88320cfa4c10b01eab3be737b0852af885945167f3701a1160a33231e64
Instruction Fuzzy Hash: F0F0C830E0020CBBEB209F90DD09BAEBFF4EF45711F000158F985A6164CB355D40DB94

Function 00FD4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FD4EDD,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FD4EAE
FreeLibrary.KERNEL32(00000000,?,?,00FD4EDD,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4EC0

Strings

kernel32.dll, xrefs: 00FD4E94
Wow64DisableWow64FsRedirection, xrefs: 00FD4EA8

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 58235318a35e780c2fb5a1a0a2b77acc3fe906fad59e549684a80c4a5544d5b6
Instruction ID: fbd3e5047251314a05c1c33b72b1f11549ed6ee7c7b2f5ff0f680a4cbcf9b672
Opcode Fuzzy Hash: 58235318a35e780c2fb5a1a0a2b77acc3fe906fad59e549684a80c4a5544d5b6
Instruction Fuzzy Hash: 0BE0CD35E02522ABE33117266C28B5F7759AF82F72B0D0116FCC0DA304DF74DC0155A0

Function 00FD4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,01013CDE,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FD4E74
FreeLibrary.KERNEL32(00000000,?,?,01013CDE,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E87

Strings

kernel32.dll, xrefs: 00FD4E5B
Wow64RevertWow64FsRedirection, xrefs: 00FD4E6E

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 44b545beee00601f552fbe9b637f90a762820b47af23a8b774eb5d18455e1040
Instruction ID: 5448a2a5a9c3e822e3d3c8c11a49ccad93ceeb870f0af9682ae0c3d7ce521bc9
Opcode Fuzzy Hash: 44b545beee00601f552fbe9b637f90a762820b47af23a8b774eb5d18455e1040
Instruction Fuzzy Hash: FED0C231902661A76A321B25A828E8B2B19AFC6B613090216F8C0AA218CF35CD01A6D0

Function 0105A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0105A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0105A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0105A468
CloseHandle.KERNEL32(?), ref: 0105A63D

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 538f66a4db0701fa79b028644c33bb30ede134eb9545b0c5ec0e126890b30e6f
Instruction ID: b07e5a67c9646086e45879c47f812576e28d86f81faf07df9fd0ab9af71ef79d
Opcode Fuzzy Hash: 538f66a4db0701fa79b028644c33bb30ede134eb9545b0c5ec0e126890b30e6f
Instruction Fuzzy Hash: 89A191716043019FE760DF18C882F2AB7E5AF88714F04895DF99A9B392DBB4E841CB91

Function 0100BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01073700), ref: 0100BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,010A121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0100BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,010A1270,000000FF,?,0000003F,00000000,?), ref: 0100BC36
_free.LIBCMT ref: 0100BB7F

Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0

_free.LIBCMT ref: 0100BD4B

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: f48a155f5f5f70fcd13636121916e7b643ae72528f53b0fb9ef29cff33f1262e
Instruction ID: 8336422d0ddb8159a0171bd3b0574cd37f6b9a4303033de0892067537f7e5af9
Opcode Fuzzy Hash: f48a155f5f5f70fcd13636121916e7b643ae72528f53b0fb9ef29cff33f1262e
Instruction Fuzzy Hash: 7A510875900609AFFB22EF69DC809AEBBF8FF41350F5042AAE5D4D71D4EB349A408B50

Function 0103E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0103DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0103CF22,?), ref: 0103DDFD

Part of subcall function 0103DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0103CF22,?), ref: 0103DE16

Part of subcall function 0103E199: GetFileAttributesW.KERNEL32(?,0103CF95), ref: 0103E19A

lstrcmpiW.KERNEL32(?,?), ref: 0103E473
MoveFileW.KERNEL32(?,?), ref: 0103E4AC
_wcslen.LIBCMT ref: 0103E5EB
_wcslen.LIBCMT ref: 0103E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0103E650

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 0b7a21c2aebde0ff61d378a242a7155150480cef422cda8e238128ab60b72367
Instruction ID: 734798e4fdda73d3fbddd8580ad3013dfeb4549eaf63b14e87716a0fae79396f
Opcode Fuzzy Hash: 0b7a21c2aebde0ff61d378a242a7155150480cef422cda8e238128ab60b72367
Instruction Fuzzy Hash: 2B5161B25083459BD764EBA4DC809DF77ECAFC5340F004A1EE6C9D3191EF79A2888766

Function 0105B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

Part of subcall function 0105C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0105B6AE,?,?), ref: 0105C9B5
Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105C9F1
Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA68
Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0105BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0105BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0105BB63
RegCloseKey.ADVAPI32(?,?), ref: 0105BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0105BBB3

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 0c251a19b6f073db8e7c489c957c299102897fcc264902ce7da57528b443854b
Instruction ID: 2c7789d2877febb2b37a10ec357acbf85d3468c7b4ff3b889342a623c3845c04
Opcode Fuzzy Hash: 0c251a19b6f073db8e7c489c957c299102897fcc264902ce7da57528b443854b
Instruction Fuzzy Hash: 9961C331208201AFE354DF14C890E2BBBE6FF84308F58859DF5954B2A2DB75ED45CB92

Function 01038BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01038BCD
VariantClear.OLEAUT32 ref: 01038C3E
VariantClear.OLEAUT32 ref: 01038C9D
VariantClear.OLEAUT32(?), ref: 01038D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 01038D3B

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: e1b22e08fb92f588f9b90397cda81371e2b35571bf3deb543f69e7e65a5b3ffb
Instruction ID: 4c57303cfe24c74984ec4fa25bc0be828649206c2646bc0da0f0b6e4ad1cf8ff
Opcode Fuzzy Hash: e1b22e08fb92f588f9b90397cda81371e2b35571bf3deb543f69e7e65a5b3ffb
Instruction Fuzzy Hash: F8516BB5A00219EFDB10DF58C884AAABBF8FF89310F05859AF945DB314E734E911CB90

Function 01048AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 01048BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 01048BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 01048C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 01048C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 01048C5F

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: da531a06d4efd9276b31db5e45bbd6c2e3d9759aee597e3b3df6de501589e835
Instruction ID: c8f0c411d548b07e0ec7e810e1bc14cd7761169dc931db02e2f078c06f97984f
Opcode Fuzzy Hash: da531a06d4efd9276b31db5e45bbd6c2e3d9759aee597e3b3df6de501589e835
Instruction Fuzzy Hash: 67515A75A002199FDB11DF65C880A69BBF2FF48314F08C49AE849AB362DB35ED41DB91

Function 01058EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 01058F40
GetProcAddress.KERNEL32(00000000,?), ref: 01058FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 01058FEC
GetProcAddress.KERNEL32(00000000,?), ref: 01059032
FreeLibrary.KERNEL32(00000000), ref: 01059052

Part of subcall function 00FEF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,01041043,?,7556E610), ref: 00FEF6E6
Part of subcall function 00FEF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0102FA64,00000000,00000000,?,?,01041043,?,7556E610,?,0102FA64), ref: 00FEF70D

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 006a6ddb9b90422f757029e19c07842499f6dc6f25e18d173252a58096663199
Instruction ID: b5de8c52d298e78950c7533813619ae4f4b036d333cd655b5a8a097a5afa9b33
Opcode Fuzzy Hash: 006a6ddb9b90422f757029e19c07842499f6dc6f25e18d173252a58096663199
Instruction Fuzzy Hash: BC515835604205DFCB51DF58C4848AEBBF1FF49314B0880AAED8A9B362D735ED85CB90

Function 01066B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 01066C33
SetWindowLongW.USER32(?,000000EC,?), ref: 01066C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 01066C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0104AB79,00000000,00000000), ref: 01066C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 01066CC7

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 542a870305ee342cd1523bd96198f2c0d9a108e796d3ecb78b231cfe0fcf1a9f
Instruction ID: 297945541406eb1d9b8c0c9336b291421e96551d07a8f683797847ac26b209f9
Opcode Fuzzy Hash: 542a870305ee342cd1523bd96198f2c0d9a108e796d3ecb78b231cfe0fcf1a9f
Instruction Fuzzy Hash: DE41A135A00508AFE7248F68CD54FB97FA9EB09360F040268F995A72A8C373AD41CA40

Function 01002051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 010020C3
_free.LIBCMT ref: 010020E3

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1e45fc54524e069795e3ea98093056e57f1de15eef4a843bfb3176361f6e72c1
Instruction ID: 977769e55b4fcda74f8fb1f81418ef3334d7d610fd291760e32db43c311c15e4
Opcode Fuzzy Hash: 1e45fc54524e069795e3ea98093056e57f1de15eef4a843bfb3176361f6e72c1
Instruction Fuzzy Hash: CF41E636E003009FEB22DF78C984A9DB7F5EF89314F1545A9E655EB392D731A901CB80

Function 00FE912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FE9141
ScreenToClient.USER32(00000000,?), ref: 00FE915E
GetAsyncKeyState.USER32(00000001), ref: 00FE9183
GetAsyncKeyState.USER32(00000002), ref: 00FE919D

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: f819e60e82f22fbdcbd2487ce1b9c8e88c190bef9ef55e0b3ea1d30bbabaa4c3
Instruction ID: 4b09042db855353f80010a18128468604ddd131e02f661bdb6f4a66b662dcfb5
Opcode Fuzzy Hash: f819e60e82f22fbdcbd2487ce1b9c8e88c190bef9ef55e0b3ea1d30bbabaa4c3
Instruction Fuzzy Hash: 61416031A0861BFBDF199F69C844BEEB775FF15320F208219E469A32D0C7785990DBA1

Function 01043874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 010438CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 01043922
TranslateMessage.USER32(?), ref: 0104394B
DispatchMessageW.USER32(?), ref: 01043955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01043966

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 888d7f74545d857c12481113f13d346a25e8c607f50d8dbe74baaf76bebdd4e6
Instruction ID: 50026ed6e76feb0e6ac4f3c98300041d68214ca2da7c2bbd459e4d264e4f1783
Opcode Fuzzy Hash: 888d7f74545d857c12481113f13d346a25e8c607f50d8dbe74baaf76bebdd4e6
Instruction Fuzzy Hash: F331E6B4504762AFFB75CA389488BB77BE8BB05300F4455BDD5E28A0D5E3799884CB11

Function 01031901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 01031915
PostMessageW.USER32(00000001,00000201,00000001), ref: 010319C1
Sleep.KERNEL32(00000000,?,?,?), ref: 010319C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 010319DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 010319E2

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 2da094b66b7529d3e17f383ed92c0cce0dc507bdf288207b791bea9a38c75be1
Instruction ID: 586d8f63ccd00c18ea3e1ae239fba4669c8d736993972d404d8771e024513a34
Opcode Fuzzy Hash: 2da094b66b7529d3e17f383ed92c0cce0dc507bdf288207b791bea9a38c75be1
Instruction Fuzzy Hash: 4D31E871900219EFDB14CFACC948ADE3BB9EF49315F004266F9A1EB2D1C7709954CB90

Function 01065706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 01065745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0106579D
_wcslen.LIBCMT ref: 010657AF
_wcslen.LIBCMT ref: 010657BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 01065816

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 8b2e3cbb47457046c2e15deadf41e0fd7f4d8315f1410ccc6db3180d40a3f2a9
Instruction ID: 48940cf8ea3dd93b027f87c82e3451cbd862fd3c1d00b1a6aa55d4d42cf55d30
Opcode Fuzzy Hash: 8b2e3cbb47457046c2e15deadf41e0fd7f4d8315f1410ccc6db3180d40a3f2a9
Instruction Fuzzy Hash: 0D21BA71A042199AEB209FA4DC84AEE7BFCFF04764F008256FAA9EB1C4D7749585CF50

Function 01050930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01050951
GetForegroundWindow.USER32 ref: 01050968
GetDC.USER32(00000000), ref: 010509A4
GetPixel.GDI32(00000000,?,00000003), ref: 010509B0
ReleaseDC.USER32(00000000,00000003), ref: 010509E8

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5b9bdb98241f737b3928272859d60acef390b240281799c3b8ec2b36932e469e
Instruction ID: dee5c30b4fea109f0f163cab72dab253f6c2b3da04daa90d83926fc73f31b42b
Opcode Fuzzy Hash: 5b9bdb98241f737b3928272859d60acef390b240281799c3b8ec2b36932e469e
Instruction Fuzzy Hash: 9D218E75600204AFE714EF69D984AAEBBF9FF48700F048069F88AD7365CB75AC44CB90

Function 0100CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0100CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0100CDE9

Part of subcall function 01003820: RtlAllocateHeap.NTDLL(00000000,?,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6,?,00FD1129), ref: 01003852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0100CE0F
_free.LIBCMT ref: 0100CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0100CE31

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: fa0dad06d6fb9904e4bc58e47c1a74f5e3a26a060ceee5e15cb53d4545a048cf
Instruction ID: 9b26ea651d6ecffda6efffc896ed09603969240d2a2bfdbedee87329864dc7d0
Opcode Fuzzy Hash: fa0dad06d6fb9904e4bc58e47c1a74f5e3a26a060ceee5e15cb53d4545a048cf
Instruction Fuzzy Hash: 7601FC726022557F333325BA6D4CC7F7DADDEC7AA171502A9FE85C7180DE658D0182B0

Function 00FE9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FE9693
SelectObject.GDI32(?,00000000), ref: 00FE96A2
BeginPath.GDI32(?), ref: 00FE96B9
SelectObject.GDI32(?,00000000), ref: 00FE96E2

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6449a88d6aa7971d877341de57a42d19a0cdcce17b0e7616e51a42b6b7b3ce9a
Instruction ID: 3cb7aab17aac138e4febea51121248ff51262fbcc70ccf4de354d4f88e8d8d8e
Opcode Fuzzy Hash: 6449a88d6aa7971d877341de57a42d19a0cdcce17b0e7616e51a42b6b7b3ce9a
Instruction Fuzzy Hash: BF21D431816785EFEB318F25E9047A93BB8BB01365F500217F490A60E8D3BA5981DFA1

Function 01035711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 01035726
_memcmp.LIBVCRUNTIME ref: 01035744
_memcmp.LIBVCRUNTIME ref: 01035757
_memcmp.LIBVCRUNTIME ref: 0103576F
_memcmp.LIBVCRUNTIME ref: 01035787

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 700888df3ca88fd43caabe50e4194da40914e6160a2fa88767e2cb8247da6ae1
Instruction ID: 1f55727aa7a49a756ec05942646f03bbc37c01a22281b8f0c2b2969112db74fd
Opcode Fuzzy Hash: 700888df3ca88fd43caabe50e4194da40914e6160a2fa88767e2cb8247da6ae1
Instruction Fuzzy Hash: 5E01D86564520AFBE20A5515BE92FBF739DBFA13A4F414024FE449F212F764ED10D2E0

Function 01002DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00FFF2DE,01003863,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6), ref: 01002DFD
_free.LIBCMT ref: 01002E32
_free.LIBCMT ref: 01002E59
SetLastError.KERNEL32(00000000,00FD1129), ref: 01002E66
SetLastError.KERNEL32(00000000,00FD1129), ref: 01002E6F

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 821785e7971844f27dbfad37acb3d82535ff195f824ced18146e3cb141b3e86e
Instruction ID: d8c94fdba565fcfb894b054e932c0d5332863ed287822ff04d6ddb54aae6a3ee
Opcode Fuzzy Hash: 821785e7971844f27dbfad37acb3d82535ff195f824ced18146e3cb141b3e86e
Instruction Fuzzy Hash: 6F01F9765886416BF62376396D4CD6F159DABE13A1F650028F5D5921D5EA358C014220

Function 0103000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?,?,0103035E), ref: 0103002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?), ref: 01030046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?), ref: 01030054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?), ref: 01030064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?), ref: 01030070

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: fadc88627824b340f4cd6f00810d7f77de3d7c9ebf5147bc3855893b1392e7e1
Instruction ID: c8157c7d94ba7ade70b9beace782c4fdbaa64553fbeb554973a277b089bada1e
Opcode Fuzzy Hash: fadc88627824b340f4cd6f00810d7f77de3d7c9ebf5147bc3855893b1392e7e1
Instruction Fuzzy Hash: 0101A272601205BFEB205F68DD44BAABEEDEF84761F144124FAC5D2218D77ADD408BA0

Function 0103E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0103E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0103E9A5
Sleep.KERNEL32(00000000), ref: 0103E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0103E9B7
Sleep.KERNEL32 ref: 0103E9F3

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 2649a1971142726daa15472736e6375d2ff14d4090702d4144bb2f58131eeea9
Instruction ID: 17059d75b81a095d235168a53b8396d8c7537929e3559de0dff8bfb5df9fce9e
Opcode Fuzzy Hash: 2649a1971142726daa15472736e6375d2ff14d4090702d4144bb2f58131eeea9
Instruction Fuzzy Hash: 4E016931C01629DBDF50AFE4D948AEDBB7CFF49301F000656E9C2B2244CB399552CBA1

Function 010310F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01031114
GetLastError.KERNEL32(?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 0103112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0103114D

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: d59fb4f22d3370e8b558bc8f9535d97276ec335f5c0a64a661fd5fedc2426ddd
Instruction ID: 278874d13ed5a6f6a079012510b1ca99c1e505e5da88586600f2ddd894d8a244
Opcode Fuzzy Hash: d59fb4f22d3370e8b558bc8f9535d97276ec335f5c0a64a661fd5fedc2426ddd
Instruction Fuzzy Hash: ED011D75200205BFEB214F69DD49AAA3FAEEFCA260B104455F9C5D7354DA36DD009B60

Function 01030FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01030FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01030FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01030FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01030FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01031002

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ad41875d348bba799d1805ece5dd293cc6c63057faeaa079ce7da1cd811b51ae
Instruction ID: 396d908ff5f4fc8ae7937ae9eb16e772be6cc4d84830bd91f7b0d4b7929d4d85
Opcode Fuzzy Hash: ad41875d348bba799d1805ece5dd293cc6c63057faeaa079ce7da1cd811b51ae
Instruction Fuzzy Hash: CDF04935200341BBEB214FA99D49F563BADEF8A662F104454FAC9DA251CA76D8108B60

Function 01031014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0103102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01031036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01031045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0103104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01031062

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 1b9077efb2227d94faec400e19aa2d38db1c38fe1b0c5158f741234218a60f77
Instruction ID: 9e6b4fa086793339a1ba018988787ec70aeb03f84117966cf0471f93be304469
Opcode Fuzzy Hash: 1b9077efb2227d94faec400e19aa2d38db1c38fe1b0c5158f741234218a60f77
Instruction Fuzzy Hash: E0F06D35200341FBEB225FA9ED59F563FADEF8A661F100414FAC5DB250CA76D9108B60

Function 0104030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 01040324
CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 01040331
CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 0104033E
CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 0104034B
CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 01040358
CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 01040365

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 92a05e3d824efbee831f4b83a2dffa55ec32cc566087c35a8f4439b1a301a66a
Instruction ID: 056dc06c431a820420c97f204e677766cc4a433bfb92e0e2334386b5c1737e78
Opcode Fuzzy Hash: 92a05e3d824efbee831f4b83a2dffa55ec32cc566087c35a8f4439b1a301a66a
Instruction Fuzzy Hash: EC0190B2800B159FD7309F6AD8D0453FBF9BE502163158A7EE2D662931C371A954CF80

Function 0100D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0100D752

Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0

_free.LIBCMT ref: 0100D764
_free.LIBCMT ref: 0100D776
_free.LIBCMT ref: 0100D788
_free.LIBCMT ref: 0100D79A

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e4e797feb68d2a5a947278c2a7d3400bd06e1a0de5e0e74b9dcef24506fc61e8
Instruction ID: bc40eab9865ff904bad744165a532fb7aecea3dcdf80ed7554014acf9dd628fb
Opcode Fuzzy Hash: e4e797feb68d2a5a947278c2a7d3400bd06e1a0de5e0e74b9dcef24506fc61e8
Instruction Fuzzy Hash: B9F068325442456BB663EBDCF6C8C5A7BDDBB44250BA40849F1CCD7584D735F8404770

Function 01035C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 01035C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 01035C6F
MessageBeep.USER32(00000000), ref: 01035C87
KillTimer.USER32(?,0000040A), ref: 01035CA3
EndDialog.USER32(?,00000001), ref: 01035CBD

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: cd2b9ce00b65c590cd1b25de5e6c4b9747363dacffa5d781dc046b413bee533f
Instruction ID: cea320f515a5e58c4dacb680960b0b296b436d7f3e9edcbc5e36584ef83e5503
Opcode Fuzzy Hash: cd2b9ce00b65c590cd1b25de5e6c4b9747363dacffa5d781dc046b413bee533f
Instruction Fuzzy Hash: D50144305107089EFB315B14DE4EF957BB8BB44705F04065AF6C2A14F1D7F9A9448B54

Function 010022A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 010022BE

Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0

_free.LIBCMT ref: 010022D0
_free.LIBCMT ref: 010022E3
_free.LIBCMT ref: 010022F4
_free.LIBCMT ref: 01002305

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: eaecfb4712228a110cea549f4bbbca6d4b353e6c830d9259533ae77adeb87880
Instruction ID: 9fdfb9676263031bb9c3bdd0dc48228cade4e1e919ad1e26cb5b6954796559e1
Opcode Fuzzy Hash: eaecfb4712228a110cea549f4bbbca6d4b353e6c830d9259533ae77adeb87880
Instruction Fuzzy Hash: 3EF054B48109159BA623BF54F40488D3FA8F7287A0B900506F4D0D72ECC73B4421AFE4

Function 00FE95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00FE95D4
StrokeAndFillPath.GDI32(?,?,010271F7,00000000,?,?,?), ref: 00FE95F0
SelectObject.GDI32(?,00000000), ref: 00FE9603
DeleteObject.GDI32 ref: 00FE9616
StrokePath.GDI32(?), ref: 00FE9631

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 5f479076ceb87555f4fa9b6fc8965bdc9a20f946edb592ab379e56b4d717c092
Instruction ID: e1755e48c7337cab9367514b5f2128e4a0103f7321d2a09d4b97c6ae42db286e
Opcode Fuzzy Hash: 5f479076ceb87555f4fa9b6fc8965bdc9a20f946edb592ab379e56b4d717c092
Instruction Fuzzy Hash: 00F04F31409B44EBEB365F66EA0C7643FA1BB41372F448215F4E5550F8CB7A8995EF20

Function 01000F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 010010F9
__freea.LIBCMT ref: 01001117

Part of subcall function 01001537: _free.LIBCMT ref: 0100154F

Strings

a/p, xrefs: 010011DE
am/pm, xrefs: 0100117A

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 6f541605b23087880b22fab27844b9a76a78accd74b6d1681ec0924a98bfa1aa
Instruction ID: f44125d8433acb120f5964c768cf7d8983704f86b1268c186b3e493bfcdfb97c
Opcode Fuzzy Hash: 6f541605b23087880b22fab27844b9a76a78accd74b6d1681ec0924a98bfa1aa
Instruction Fuzzy Hash: 67D1BE71A042069AFB6B8F6CC855BFEBBF1EF05300F188199E6819B6D1D275D980CB91

Function 01057B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00FF0242: EnterCriticalSection.KERNEL32(010A070C,010A1884,?,?,00FE198B,010A2518,?,?,?,00FD12F9,00000000), ref: 00FF024D
Part of subcall function 00FF0242: LeaveCriticalSection.KERNEL32(010A070C,?,00FE198B,010A2518,?,?,?,00FD12F9,00000000), ref: 00FF028A

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

Part of subcall function 00FF00A3: __onexit.LIBCMT ref: 00FF00A9

__Init_thread_footer.LIBCMT ref: 01057BFB

Part of subcall function 00FF01F8: EnterCriticalSection.KERNEL32(010A070C,?,?,00FE8747,010A2514), ref: 00FF0202
Part of subcall function 00FF01F8: LeaveCriticalSection.KERNEL32(010A070C,?,00FE8747,010A2514), ref: 00FF0235

Strings

Variable must be of type 'Object'., xrefs: 01057C3A
G, xrefs: 01057C7F
5, xrefs: 01057C78

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 5b14bd9ffefa99c7e30a158c3f2949308336ad1b03652c826004c40af4692b9e
Instruction ID: d365023e0c32f3ef8ef446abaa21135ebb2f2a24c61fe3e69b26095c28346ec3
Opcode Fuzzy Hash: 5b14bd9ffefa99c7e30a158c3f2949308336ad1b03652c826004c40af4692b9e
Instruction Fuzzy Hash: 46917F71600209EFCB55EF58C890DAEBBB5FF44304F848099FD865B251DB71AE41EB61

Function 01032716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0103B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010321D0,?,?,00000034,00000800,?,00000034), ref: 0103B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 01032760

Part of subcall function 0103B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010321FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0103B3F8

Part of subcall function 0103B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0103B355
Part of subcall function 0103B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,01032194,00000034,?,?,00001004,00000000,00000000), ref: 0103B365
Part of subcall function 0103B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,01032194,00000034,?,?,00001004,00000000,00000000), ref: 0103B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 010327CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0103281A

Strings

@, xrefs: 01032832

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 920bd8b56dcc2f17cd12a1665db2255b62c7906a83fb97004d79f7c411e09982
Instruction ID: f2b6dfaed21bc8351415eafdbf9339b28d2fed532b667d4e23cf18be922c04d0
Opcode Fuzzy Hash: 920bd8b56dcc2f17cd12a1665db2255b62c7906a83fb97004d79f7c411e09982
Instruction Fuzzy Hash: 5F416D72901219BFDB10DFA8CD41AEEBBB8FF59700F108095FA95B7180DA706E45CBA0

Function 0100172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe,00000104), ref: 01001769
_free.LIBCMT ref: 01001834
_free.LIBCMT ref: 0100183E

Strings

C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe, xrefs: 01001760, 01001767, 01001796, 010017CE

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Orden de compra.000854657689654253545676785436.exe
API String ID: 2506810119-4274431900
Opcode ID: 6f7b62a9887708b90d786926d70ad67277e342b24f8f7c4fe729c30cc8cf8b52
Instruction ID: 0ae9d72dab94fe3a2f2f71bdc65e49a1f49b113be1ae033bf2b9662af69ccc05
Opcode Fuzzy Hash: 6f7b62a9887708b90d786926d70ad67277e342b24f8f7c4fe729c30cc8cf8b52
Instruction Fuzzy Hash: 27318E75A00219EBEB23DF99D884D9EBBFCEF85310F5041A6E98497280D670CB40CBA0

Function 0103C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0103C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0103C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,010A1990,01375DD8), ref: 0103C395

Strings

0, xrefs: 0103C2DF

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 5f507a9d637fa45a31fe8c60af18002d7e3ee1ccf627ecb5ef31477dcdcd8abe
Instruction ID: f46e54a31937358d03f83672d91f658be7e52e062cf534991959dd7b07fce41e
Opcode Fuzzy Hash: 5f507a9d637fa45a31fe8c60af18002d7e3ee1ccf627ecb5ef31477dcdcd8abe
Instruction Fuzzy Hash: E141A0712043029FE720DF29D984B6ABBE8AFC5314F048A5EF9E5E72D1D770A604CB52

Function 01064416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0106CC08,00000000,?,?,?,?), ref: 010644AA
GetWindowLongW.USER32 ref: 010644C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 010644D7

Strings

SysTreeView32, xrefs: 0106447C

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: b4d832829f2de29fe8c7e9d74352ff684e9e021f8d798e25c424fce13194700e
Instruction ID: e0227e0e1a33062277b9d3db5013e92a8bbb4b97d1f10fb40eef2cedd94dd10a
Opcode Fuzzy Hash: b4d832829f2de29fe8c7e9d74352ff684e9e021f8d798e25c424fce13194700e
Instruction Fuzzy Hash: 1431BE31210205AFEF618E38DC46BEA7BA9EB09334F204315FAB5D21E1DB75E8509B50

Function 0105304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0105335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,01053077,?,?), ref: 01053378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0105307A
_wcslen.LIBCMT ref: 0105309B
htons.WSOCK32(00000000,?,?,00000000), ref: 01053106

Strings

255.255.255.255, xrefs: 01053095, 0105309A

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 3fd0965c221f272659a135bbf1a14d568d732911d2a7e2b221a2702ae5e2cdf7
Instruction ID: 670689795425671ee86a26f7ef4e6ea6c42dbb4d0222804338714e3b12eff829
Opcode Fuzzy Hash: 3fd0965c221f272659a135bbf1a14d568d732911d2a7e2b221a2702ae5e2cdf7
Instruction Fuzzy Hash: 2831EF392002058FDBA0CF68C491AABBBF0FF04398F149099E9958F392CB72ED41C760

Function 01064653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01064705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01064713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0106471A

Strings

msctls_updown32, xrefs: 01064684

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: c8796536ec0b657a5829c67a27c63488159c2d9a62bf1d52f2c8205277aa9f76
Instruction ID: 24abfaa8ae673d35bd1d976ca60d3ca9446f96f679ff8a67d5f3fceea33b59ff
Opcode Fuzzy Hash: c8796536ec0b657a5829c67a27c63488159c2d9a62bf1d52f2c8205277aa9f76
Instruction Fuzzy Hash: 24215CB5600209AFEB11DF68DC81DAB37EDEB5A3A4B04005AFA80DB251CB75EC11DB60

Function 010395AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0103961D

Strings

#requireadmin, xrefs: 010395D9
#OnAutoItStartRegister, xrefs: 010395F3
#notrayicon, xrefs: 010395B7

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: fc379beac6c532a5f3c65cc85d98311c31087228d838fa4d40e5de0bb0a38085
Instruction ID: a4988b5e49ec4e295fb887d3105ba4d8889b9d2032ea47a7df659cf72f895b21
Opcode Fuzzy Hash: fc379beac6c532a5f3c65cc85d98311c31087228d838fa4d40e5de0bb0a38085
Instruction Fuzzy Hash: D3218B3220461166D331BB299C12FBB73DC9FD5308F04402AFACA9B182EBD5A981D391

Function 010637B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01063840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01063850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01063876

Strings

Listbox, xrefs: 0106380F

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 5a5fae193e548752cd9bb1ade7fec3ea7e0c570d45a6c3be9b64dafcf98adcec
Instruction ID: a5e646946bf0d25f81020e4ec4b6daddc4436d325b6451104e74fd84f272b0b2
Opcode Fuzzy Hash: 5a5fae193e548752cd9bb1ade7fec3ea7e0c570d45a6c3be9b64dafcf98adcec
Instruction Fuzzy Hash: D621B072610218BFEF228E58CC45EEB37AEFF89750F108154F9849B190C676DC5187E0

Function 010449F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 01044A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 01044A5C
SetErrorMode.KERNEL32(00000000,?,?,0106CC08), ref: 01044AD0

Strings

%lu, xrefs: 01044A6F

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: dede2e5567e1a18df547e337bf2322128931e4af06b51d51adc5ddacf67fc810
Instruction ID: d7647e2aab7394a7b3768540db087dd6eef015a17fc6f8a90e0131aa7a66cfac
Opcode Fuzzy Hash: dede2e5567e1a18df547e337bf2322128931e4af06b51d51adc5ddacf67fc810
Instruction Fuzzy Hash: F3318171A00109AFDB10DF54C984EAA7BF8EF04304F0440A9E945DF352DB75ED45CB61

Function 010641EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0106424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01064264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01064271

Strings

msctls_trackbar32, xrefs: 01064226

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c5d2bdab15cb87f80a40e1f64f3bbf2a186a8765b090ed724876d3e626bff460
Instruction ID: c0ebc7723b622d9b6ecffedb5a85fe47ab3fff8b4fef26c5764da85460f984b4
Opcode Fuzzy Hash: c5d2bdab15cb87f80a40e1f64f3bbf2a186a8765b090ed724876d3e626bff460
Instruction Fuzzy Hash: 44112931240209BEEF215F39CC45FAB3BECEF85B54F110114FAD5E6090D2B1D8519B10

Function 01032F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A

Part of subcall function 01032DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01032DC5
Part of subcall function 01032DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 01032DD6
Part of subcall function 01032DA7: GetCurrentThreadId.KERNEL32 ref: 01032DDD
Part of subcall function 01032DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 01032DE4

GetFocus.USER32 ref: 01032F78

Part of subcall function 01032DEE: GetParent.USER32(00000000), ref: 01032DF9

GetClassNameW.USER32(?,?,00000100), ref: 01032FC3
EnumChildWindows.USER32(?,0103303B), ref: 01032FEB

Strings

%s%d, xrefs: 01032FFF

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: eeb417c6fc2befc56b16996882b71c1046ad295ae1a13c2a1a8e84a527fbb622
Instruction ID: ba6ddc3627777c882173f7e37bed1cef301d6c6de799cced35040d57177117fd
Opcode Fuzzy Hash: eeb417c6fc2befc56b16996882b71c1046ad295ae1a13c2a1a8e84a527fbb622
Instruction Fuzzy Hash: 2711D271200205ABDF117F648CD9EEE776EAFD4304F04407AF989DB252DE3599099B70

Function 01065882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010658C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010658EE
DrawMenuBar.USER32(?), ref: 010658FD

Strings

0, xrefs: 0106588F

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 0fdfea0d7f5ef162455cccebd007abbf656990bebce841131f24bcdb44f3d6ce
Instruction ID: 880278ee1b19d451e890ce4e72600ec73d8e0c393763dc5deb51a4becc53589f
Opcode Fuzzy Hash: 0fdfea0d7f5ef162455cccebd007abbf656990bebce841131f24bcdb44f3d6ce
Instruction Fuzzy Hash: 33016D31500258AFEB619F15DC44BAFBBB8FF453A0F00809AE889D6151DB348A84DF31

Function 0102D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0102D3BF
FreeLibrary.KERNEL32 ref: 0102D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0102D3B9
X64, xrefs: 0102D2A8

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 7b522354269ca5a63d731483791225d34f53417002f7ae20156358e422da35ca
Instruction ID: 1ffc2450a42a1539d69a8534b8190725d6ad991385874a46435d03a6708b3255
Opcode Fuzzy Hash: 7b522354269ca5a63d731483791225d34f53417002f7ae20156358e422da35ca
Instruction Fuzzy Hash: 48F02B72906631D7F7B11595CC74AAE7758AF12701F59C58AF5C1FA108DB30CE4887D1

Function 0103007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c1cb39cf56458dd449e01f1d5e2e2e9306d8dba11966d723a84a03747dfbbd
Instruction ID: dbae0eaa9ae505041603fbe0ed8ecc2540fb648b72a8c525f930c830e6d3bcd5
Opcode Fuzzy Hash: 22c1cb39cf56458dd449e01f1d5e2e2e9306d8dba11966d723a84a03747dfbbd
Instruction Fuzzy Hash: C1C13A75A0120AAFDB14CFA8C894AAEBBB9FF88704F108598F545EB255D731ED41CB90

Function 0105342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 01053459
CoUninitialize.OLE32 ref: 01053463
VariantInit.OLEAUT32(?), ref: 0105346E
VariantClear.OLEAUT32(?), ref: 0105371B

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 753eb1e8d232d6a36903519c3f0f75a759683ec7f9b5795cb4a13bbeaa3057b9
Instruction ID: fc00994a931b4da2065dbdd4e8337f1cb670d6f31aef804a27b6c9073583bf0c
Opcode Fuzzy Hash: 753eb1e8d232d6a36903519c3f0f75a759683ec7f9b5795cb4a13bbeaa3057b9
Instruction Fuzzy Hash: 82A158756043019FC750EF28C885A2ABBE5FF88354F088859FD8A9B361DB34ED01CB92

Function 01030436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0106FC08,?), ref: 010305F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0106FC08,?), ref: 01030608
CLSIDFromProgID.OLE32(?,?,00000000,0106CC40,000000FF,?,00000000,00000800,00000000,?,0106FC08,?), ref: 0103062D
_memcmp.LIBVCRUNTIME ref: 0103064E

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: d11c1d8ce0737acb61d040833a3353d3e8cf9a4ef19007004413ee41c6ddf964
Instruction ID: 5720831c45b4c2350c202680ed2604148b200fcea2eb41a4266451c94d169162
Opcode Fuzzy Hash: d11c1d8ce0737acb61d040833a3353d3e8cf9a4ef19007004413ee41c6ddf964
Instruction Fuzzy Hash: CC812A75A00109EFCB04DF98C984EEEB7B9FF89315F204598F546AB254DB71AE06CB60

Function 01011391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 010114C0

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f92ee3700772e96a7e4857c65ebf544d06f682291b0762979df9eb61addfc15b
Instruction ID: 6be404440a759cb1dc3283453eae81d04c26f74eb85083e15d57faeaf3329a9c
Opcode Fuzzy Hash: f92ee3700772e96a7e4857c65ebf544d06f682291b0762979df9eb61addfc15b
Instruction Fuzzy Hash: 08413731A40105ABEB2A6BFC9C44BFE3AE4EF11B70F144265F799D61E5EE3C84409672

Function 01066278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0137EBA8,?), ref: 010662E2
ScreenToClient.USER32(?,?), ref: 01066315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 01066382

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 78bd10334bc338c3717cd88c91d67b2c0c07ba3b8fe0197d02035ae175a432b5
Instruction ID: c22415acc0d59cad8f802b3d1f2573315e609fc22ba4bea4ab0e618e4fe37c26
Opcode Fuzzy Hash: 78bd10334bc338c3717cd88c91d67b2c0c07ba3b8fe0197d02035ae175a432b5
Instruction Fuzzy Hash: 34518F70A00619EFDF21DF58D8809AE7BFAFF45360F108199F9959B291D732E941CB50

Function 01051AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 01051AFD
WSAGetLastError.WSOCK32 ref: 01051B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01051B8A
WSAGetLastError.WSOCK32 ref: 01051B94

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 98d98ff149fbed7519d87128c8676392e09888d0de69bbf7c0ebb6e09e84eb20
Instruction ID: bc73338fdfa9db25fc0d4f6fc586d3814ddb4d82023af5a8c79a858ef351894d
Opcode Fuzzy Hash: 98d98ff149fbed7519d87128c8676392e09888d0de69bbf7c0ebb6e09e84eb20
Instruction Fuzzy Hash: 0D41B334600200AFE760AF24C886F2A77E5AB44718F588499FA5A9F3D3D776DD41CB90

Function 0100B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762cecce9222ba988bc8b4f6d32b4fad9dd1ca804e7b0fad7db132e2debe0005
Instruction ID: b0d63faff8cb252431c4c2a5382daacfb96928d3ccc3aa6c61e8edadb8587275
Opcode Fuzzy Hash: 762cecce9222ba988bc8b4f6d32b4fad9dd1ca804e7b0fad7db132e2debe0005
Instruction Fuzzy Hash: B141067AA00305AFE7269F78CC41BAEBBE9EF88710F10456AF185DB2D0D6759A018790

Function 010456D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 01045783
GetLastError.KERNEL32(?,00000000), ref: 010457A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 010457CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 010457FA

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 137d88af0527b7cc2bb0fdbe9252de9262f7f8011729c3660ddb9328a5282b5f
Instruction ID: 24e7158e69ccbf13041f0ef056f7490c2fb1c8cbbd31e84b1df8483cc4518343
Opcode Fuzzy Hash: 137d88af0527b7cc2bb0fdbe9252de9262f7f8011729c3660ddb9328a5282b5f
Instruction Fuzzy Hash: 86414C35200611DFCB11EF14D984A5DBBE2EF88320B088499EC8AAF366DB34FD01DB91

Function 0100D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00FF6D71,00000000,00000000,00FF82D9,?,00FF82D9,?,00000001,00FF6D71,8BE85006,00000001,00FF82D9,00FF82D9), ref: 0100D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0100D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0100D9AB
__freea.LIBCMT ref: 0100D9B4

Part of subcall function 01003820: RtlAllocateHeap.NTDLL(00000000,?,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6,?,00FD1129), ref: 01003852

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: bb8e2588e232156f1fbd2ca7619e83fe5d8902db28e15934ed83cf6486a79f0e
Instruction ID: de48de5e01806a1ee68b5fffee74f7af67b0c974d168acf38b70beded9c8cac2
Opcode Fuzzy Hash: bb8e2588e232156f1fbd2ca7619e83fe5d8902db28e15934ed83cf6486a79f0e
Instruction Fuzzy Hash: 0831B371A0020AABEF26DFA8DD40EAE7BA6EF41310F0541A9FD44D7190D739D950CBA0

Function 0103AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0103AAAC
SetKeyboardState.USER32(00000080), ref: 0103AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0103AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0103AB88

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 8ea29d66e474d9b29fb2139193b4d06f966f4662004aae7de7a13cec5cd27f32
Instruction ID: 7b187cad42330b3dc0337898244af3011073b3d0482e2b3841b8b39ded58d0b2
Opcode Fuzzy Hash: 8ea29d66e474d9b29fb2139193b4d06f966f4662004aae7de7a13cec5cd27f32
Instruction Fuzzy Hash: 5631E531B40248EEFF398A698804BFA7BEEABC5310F044A5AE5C1D71D2D3799581C765

Function 010652C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 01065352
GetWindowLongW.USER32(?,000000F0), ref: 01065375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01065382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010653A8

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: b9bbb113553c979a9048ab9db7a821b23edac822742e1c650c78752f411faaab
Instruction ID: b1b980bdfaca29cc400974f049c17e6140603ee53fe6ce94258e5a61fe2745e3
Opcode Fuzzy Hash: b9bbb113553c979a9048ab9db7a821b23edac822742e1c650c78752f411faaab
Instruction Fuzzy Hash: 5531C534A55628EFFB748E18CC05BE83BA9AB04B90F48C142FBD1961E1D7F59A40DB42

Function 01067674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0106769A
GetWindowRect.USER32(?,?), ref: 01067710
PtInRect.USER32(?,?,01068B89), ref: 01067720
MessageBeep.USER32(00000000), ref: 0106778C

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 4fda925403139749ffaf123097a15b4cdac62ec6bcd0c684bac898d9c0df25d8
Instruction ID: e57f937f6f461ef60c95d15f42f96e8547a67ef6e98301c44721af995ebe44ff
Opcode Fuzzy Hash: 4fda925403139749ffaf123097a15b4cdac62ec6bcd0c684bac898d9c0df25d8
Instruction Fuzzy Hash: D841BF34601205EFEB12CF58C884EA97BF8FF48318F0481A8E5949B255D739E941CF90

Function 010616DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 010616EB

Part of subcall function 01033A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01033A57
Part of subcall function 01033A3D: GetCurrentThreadId.KERNEL32 ref: 01033A5E
Part of subcall function 01033A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010325B3), ref: 01033A65

GetCaretPos.USER32(?), ref: 010616FF
ClientToScreen.USER32(00000000,?), ref: 0106174C
GetForegroundWindow.USER32 ref: 01061752

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: acce1fc6e2324259d5ff2f10a8dc0313d06b344930df1749a4f1ee6ec9b9fd36
Instruction ID: 488f249df222336859af4fc3e7b5b159fbedbb7d53cecebe895b75f8d27f6243
Opcode Fuzzy Hash: acce1fc6e2324259d5ff2f10a8dc0313d06b344930df1749a4f1ee6ec9b9fd36
Instruction Fuzzy Hash: 94313E75D00249AFD700EFA9C8818EEBBFDFF88204B5480AAE455E7311E7359E45CBA0

Function 0103D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0103D501
Process32FirstW.KERNEL32(00000000,?), ref: 0103D50F
Process32NextW.KERNEL32(00000000,?), ref: 0103D52F
CloseHandle.KERNEL32(00000000), ref: 0103D5DC

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ab0de264ba8d5d53d97509758cb480727708b478deb11c9698da120cd8be99a0
Instruction ID: 26d21dbefa4ae0453d9c3e51e5c1f5d91ed36d47a9d6bef5be5f0d102190383a
Opcode Fuzzy Hash: ab0de264ba8d5d53d97509758cb480727708b478deb11c9698da120cd8be99a0
Instruction Fuzzy Hash: 8031AF711083009FD301EF94CC81AAFBBE9EFD9344F44092EF5C1862A1EB759A48DB92

Function 01068FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2

GetCursorPos.USER32(?), ref: 01069001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,01027711,?,?,?,?,?), ref: 01069016
GetCursorPos.USER32(?), ref: 0106905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,01027711,?,?,?), ref: 01069094

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 42a975d3fc39406ffa6f96ecf704eca8e7d81700c059f823d67988ecb9033212
Instruction ID: 1dd98e5451fa0d60c4693b410fad92e71ae3c59eca9131f89d279a66482eacb8
Opcode Fuzzy Hash: 42a975d3fc39406ffa6f96ecf704eca8e7d81700c059f823d67988ecb9033212
Instruction Fuzzy Hash: D521BF35601018FFEF258F98C848EFA3FF9EB89350F004099FA8547261C3369990DB60

Function 0103D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0106CB68), ref: 0103D2FB
GetLastError.KERNEL32 ref: 0103D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0103D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0106CB68), ref: 0103D376

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: fc3842c407c58d6382caafa14ec9b325fff81840d0faf01edec9943a8db1b455
Instruction ID: ed6111901316be25e84a1e00bf8fc7adf8e584495e540565fa6f89ae344476e9
Opcode Fuzzy Hash: fc3842c407c58d6382caafa14ec9b325fff81840d0faf01edec9943a8db1b455
Instruction Fuzzy Hash: FF21E2705083019F9310DFA8C98086E7BECEE86324F948A5EF4D9C72A1D735DE09CB92

Function 01031571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01031014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0103102A
Part of subcall function 01031014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01031036
Part of subcall function 01031014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01031045
Part of subcall function 01031014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0103104C
Part of subcall function 01031014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01031062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 010315BE
_memcmp.LIBVCRUNTIME ref: 010315E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01031617
HeapFree.KERNEL32(00000000), ref: 0103161E

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 4eba2cb71552c9f9f650033a5a172887f87730b2b119a1af4991f6dffefe7376
Instruction ID: 89dc790d7e67506cb17119217a11e5adecf2851ea69194f8be6e9d481713de0a
Opcode Fuzzy Hash: 4eba2cb71552c9f9f650033a5a172887f87730b2b119a1af4991f6dffefe7376
Instruction Fuzzy Hash: C1219031E00109EFEB10DFA9C944BEEBBF8EF88354F084499E581AB240D735AA05DB60

Function 01062782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0106280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01062824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01062832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01062840

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: fdb18b7d0e1f4ab59d0cd83062345b46ffa3ffc1d4849f72743d08dcdd863825
Instruction ID: 1193ca5c2cdab0838c5092488acfeb9d05eb89f46ef1dfcc0e6f16faa9af26d1
Opcode Fuzzy Hash: fdb18b7d0e1f4ab59d0cd83062345b46ffa3ffc1d4849f72743d08dcdd863825
Instruction Fuzzy Hash: 1421C131205112AFE7149B24CC44FAA7B99AF45324F198159F4A68B6E2C77AEC82C7D0

Function 0104CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0104CE89
GetLastError.KERNEL32(?,00000000), ref: 0104CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0104CEFE

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: fd44a7e00618637097048eda477c1bbad86685d0d455814f4d282df8e4b092ca
Instruction ID: 16a41945809d4938086c1d1d1ac369cccf750c1ac0f601e6c72c4a91894021c4
Opcode Fuzzy Hash: fd44a7e00618637097048eda477c1bbad86685d0d455814f4d282df8e4b092ca
Instruction Fuzzy Hash: E92190B15013059BF770DF6ACA84BAA7BF8EF40354F10446EE6C6D2162E779EA049B50

Function 010378F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 01038D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0103790A,?,000000FF,?,01038754,00000000,?,0000001C,?,?), ref: 01038D8C
Part of subcall function 01038D7D: lstrcpyW.KERNEL32(00000000,?), ref: 01038DB2
Part of subcall function 01038D7D: lstrcmpiW.KERNEL32(00000000,?,0103790A,?,000000FF,?,01038754,00000000,?,0000001C,?,?), ref: 01038DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,01038754,00000000,?,0000001C,?,?,00000000), ref: 01037923
lstrcpyW.KERNEL32(00000000,?), ref: 01037949
lstrcmpiW.KERNEL32(00000002,cdecl,?,01038754,00000000,?,0000001C,?,?,00000000), ref: 01037984

Strings

cdecl, xrefs: 0103797B

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 98e191f0c8257601d15f40880996ecacaee38dae72e9f2c451a19b51794c0ed6
Instruction ID: b64251baa8cbc953f2537af8ab19cae0a1aae5017949b02b18376790c1d4e656
Opcode Fuzzy Hash: 98e191f0c8257601d15f40880996ecacaee38dae72e9f2c451a19b51794c0ed6
Instruction Fuzzy Hash: BC11067A200342ABDB256F39C844E7A77E9FF85350B00816BF982CB264EB369801C751

Function 01067CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 01067D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 01067D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 01067D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0104B7AD,00000000), ref: 01067D6B

Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: c112b62e5f9227084c56163900a14b92934b53da485f43edfa33750358b3753d
Instruction ID: 1de9685bb4d26cc3a26201b68881aaca2df2a56f6d0d569f24bc0245873d59d0
Opcode Fuzzy Hash: c112b62e5f9227084c56163900a14b92934b53da485f43edfa33750358b3753d
Instruction Fuzzy Hash: 2611E432200615AFDB60AF2CCC04A6A3BE8BB45374F114B64F9B5C72F4E7358950CB50

Function 01065660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 010656BB
_wcslen.LIBCMT ref: 010656CD
_wcslen.LIBCMT ref: 010656D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 01065816

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: b9474b84c0fdfc845bac379499baf98fbdcc81807b5c1106b71c4b1ad2affdd0
Instruction ID: 81b9f5e5a1661ed79f61b48ae0d3b35ae9ad5e16fad4ebe49523f0b81fc2d517
Opcode Fuzzy Hash: b9474b84c0fdfc845bac379499baf98fbdcc81807b5c1106b71c4b1ad2affdd0
Instruction Fuzzy Hash: 3111D67160020996EB209F65DC85AFF7BACEF057A4F0040AAFAD5D6081EBB4D540CB60

Function 01001D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee98c522b8af2b8502dff0751215f1c520cd55041580386c951f5f8054a1e8ee
Instruction ID: 53de52e6dffcd1c4aba9f59f10037b52bdaf852298f2acacadbd3dfedd877f99
Opcode Fuzzy Hash: ee98c522b8af2b8502dff0751215f1c520cd55041580386c951f5f8054a1e8ee
Instruction Fuzzy Hash: 6701A2B220961A7EF66335B86CC0F6B665DDF513B8F300326F6A1A11D5EB71CC004270

Function 01031A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 01031A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01031A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01031A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01031A8A

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b66ecb809a49d730073bf9905cbe8179fbfbf87ffb72a5647985ec5c1690e940
Instruction ID: 77b93934eb42ab904acefdf3372fcd4391b2bd615e296b67771a3e29cde89083
Opcode Fuzzy Hash: b66ecb809a49d730073bf9905cbe8179fbfbf87ffb72a5647985ec5c1690e940
Instruction Fuzzy Hash: DD11093AD00219FFEB11DBA9C985FADBBB8EB48750F200091EA44B7290D7716E51DB94

Function 0103E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0103E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0103E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0103E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0103E24D

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 7e5325b9fbe69f89d403eb7642ea0b9aa544189a7903912d90d99b0c39eee3dd
Instruction ID: 19b47b52b44b8211515cd464d98accccaf27ef626461038d2571f84c99324e93
Opcode Fuzzy Hash: 7e5325b9fbe69f89d403eb7642ea0b9aa544189a7903912d90d99b0c39eee3dd
Instruction Fuzzy Hash: FC11DB76904258BFD7219FACDC05A9E7FADAF85310F048355F994D3284D6B9D90487A0

Function 00FFD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00FFCFF9,00000000,00000004,00000000), ref: 00FFD218
GetLastError.KERNEL32 ref: 00FFD224
__dosmaperr.LIBCMT ref: 00FFD22B
ResumeThread.KERNEL32(00000000), ref: 00FFD249

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: c77671f7113293bcd8688f532970268a9d4716f4c407e6348f3c586e7f0036ac
Instruction ID: bf9b8ba75b8777e86f28b51c35c22dd8de2ef1e07a177f322ad23c976c06f397
Opcode Fuzzy Hash: c77671f7113293bcd8688f532970268a9d4716f4c407e6348f3c586e7f0036ac
Instruction Fuzzy Hash: 6901D63680511CBBEB215BA5DC09BBE7A6ADF82331F100259FA25961F0DB75C901E7E0

Function 00FD600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FD604C
GetStockObject.GDI32(00000011), ref: 00FD6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FD606A

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 75c3d9ac082bcae54f8f41cd129e2cf69092170c40a390e5c7315318c6d93504
Instruction ID: b3d8886e4b6f6c94510251931b1641330a7238188c1c3cd0e3351fe2cfaf3ad6
Opcode Fuzzy Hash: 75c3d9ac082bcae54f8f41cd129e2cf69092170c40a390e5c7315318c6d93504
Instruction Fuzzy Hash: BB116172501549BFEF225F949C48EEA7B6AFF0D364F040116FA5492114D73ADC60EB90

Function 00FF3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00FF3B56

Part of subcall function 00FF3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00FF3AD2
Part of subcall function 00FF3AA3: ___AdjustPointer.LIBCMT ref: 00FF3AED

_UnwindNestedFrames.LIBCMT ref: 00FF3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00FF3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00FF3BA4

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 0d96a72a7dcc28a065c97870d4f4ba8c11b08f982fb95cdba298975abdb9078c
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: FC01173250014DBBDF125E95CC42EFB3B69EF88764F044055FF48A6131C636E961EBA0

Function 01003073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00FD13C6,00000000,00000000,?,0100301A,00FD13C6,00000000,00000000,00000000,?,0100328B,00000006,FlsSetValue), ref: 010030A5
GetLastError.KERNEL32(?,0100301A,00FD13C6,00000000,00000000,00000000,?,0100328B,00000006,FlsSetValue,01072290,FlsSetValue,00000000,00000364,?,01002E46), ref: 010030B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0100301A,00FD13C6,00000000,00000000,00000000,?,0100328B,00000006,FlsSetValue,01072290,FlsSetValue,00000000), ref: 010030BF

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: c63e4ab38c603906820a7dadf402c86f31ed26f631e3efb6350bb96b336cf20b
Instruction ID: 006eec8d165318ed07fb8b1b83da27efe7b5b1ac9a145788b4a3bff4253d2497
Opcode Fuzzy Hash: c63e4ab38c603906820a7dadf402c86f31ed26f631e3efb6350bb96b336cf20b
Instruction Fuzzy Hash: CC01D432712222AFFB338ABD9C54A577B98BF05A61F104620F9C9EB1C1D726D401C7E0

Function 01037464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0103747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 01037497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 010374AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 010374CA

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: ef8e0da91d251df6f23858816c915ff6b85feb52f80e0ed0891d40e6f890dc8b
Instruction ID: 0212238a74dfb384039edda2038276521e27d1217e519422e544c5653c7de2ec
Opcode Fuzzy Hash: ef8e0da91d251df6f23858816c915ff6b85feb52f80e0ed0891d40e6f890dc8b
Instruction Fuzzy Hash: 061139B5201305ABF7308F54E909B967FFCEB80B04F008569E6D6D6591DBB5F904CB60

Function 0103B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0103ACD3,?,00008000), ref: 0103B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0103ACD3,?,00008000), ref: 0103B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0103ACD3,?,00008000), ref: 0103B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0103ACD3,?,00008000), ref: 0103B126

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 8995cecf3009846d7072edaa1229e14c2e66dc9bb995bde139c6a213c365fe7b
Instruction ID: 467cd6aa10ea720184009e5258125deb376e716b58d474027140f61de15511d8
Opcode Fuzzy Hash: 8995cecf3009846d7072edaa1229e14c2e66dc9bb995bde139c6a213c365fe7b
Instruction Fuzzy Hash: 61115B31C0151CEBDF10AFE4E9586EEBF78FF8A715F404486E9C1B6289CB3596508B61

Function 01032DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01032DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 01032DD6
GetCurrentThreadId.KERNEL32 ref: 01032DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 01032DE4

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 4e803fa2c80d57d1e98ac941e7935ead9eb480db8d395605be86cbeb3e93188b
Instruction ID: 73a3f9d7e55b3ca333c793ac5c179e1f23d3b46b35a4ca7c7c049a0643354749
Opcode Fuzzy Hash: 4e803fa2c80d57d1e98ac941e7935ead9eb480db8d395605be86cbeb3e93188b
Instruction Fuzzy Hash: 94E09271101224BBEB302A779D0DFEB7E6CEF87BA1F000015F286D50809AAAD840C7B0

Function 01068863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00FE9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FE9693
Part of subcall function 00FE9639: SelectObject.GDI32(?,00000000), ref: 00FE96A2
Part of subcall function 00FE9639: BeginPath.GDI32(?), ref: 00FE96B9
Part of subcall function 00FE9639: SelectObject.GDI32(?,00000000), ref: 00FE96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 01068887
LineTo.GDI32(?,?,?), ref: 01068894
EndPath.GDI32(?), ref: 010688A4
StrokePath.GDI32(?), ref: 010688B2

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 624d001936c75fd6432ef09585851636bb0b1f4b15db1a70d3414069e2ed98e0
Instruction ID: afa714b8b61f41487ab1438ade8b441dc46d5a65529f194cc3af9a0338dd5221
Opcode Fuzzy Hash: 624d001936c75fd6432ef09585851636bb0b1f4b15db1a70d3414069e2ed98e0
Instruction Fuzzy Hash: FFF05E36045658BAFB226F94AD09FCE3F59AF0A310F048141FB91650E5C7BA5111DFE5

Function 00FE98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00FE98CC
SetTextColor.GDI32(?,?), ref: 00FE98D6
SetBkMode.GDI32(?,00000001), ref: 00FE98E9
GetStockObject.GDI32(00000005), ref: 00FE98F1

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 00dc67af47df2739dac67dd16e9e846b12252bd8f6190130e43636cd3f1cfb20
Instruction ID: 9943d16f2669282915d9612fd7bed22a14c767e25f56e9ff0695d372c09ddf67
Opcode Fuzzy Hash: 00dc67af47df2739dac67dd16e9e846b12252bd8f6190130e43636cd3f1cfb20
Instruction Fuzzy Hash: 04E06531240290EAEB315B78A909BD93F51AB12335F048219F7F9580E5C77642509B11

Function 0103162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 01031634
OpenThreadToken.ADVAPI32(00000000,?,?,?,010311D9), ref: 0103163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,010311D9), ref: 01031648
OpenProcessToken.ADVAPI32(00000000,?,?,?,010311D9), ref: 0103164F

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 5586e8680e62b7f0ebd2fe20684182123df68f207e14b365f99426f8821e0d0a
Instruction ID: da2455be6d07dc350c0c2c2e587d3dd813e457deaf1aed9641165ca931cf25da
Opcode Fuzzy Hash: 5586e8680e62b7f0ebd2fe20684182123df68f207e14b365f99426f8821e0d0a
Instruction Fuzzy Hash: A4E08631601212ABF7701FE59F0DB463BBDAF4A791F144848F6C9C9084D6394040C750

Function 0102D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0102D858
GetDC.USER32(00000000), ref: 0102D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0102D882
ReleaseDC.USER32(?), ref: 0102D8A3

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e09aacb0591fe5c21f3df0a0e9b67986005027c5143bb746e9d47c1380f1e0df
Instruction ID: 82e621c1f67db4925bd5d37905fc53f8de943361c5b018c5cef618780a00e694
Opcode Fuzzy Hash: e09aacb0591fe5c21f3df0a0e9b67986005027c5143bb746e9d47c1380f1e0df
Instruction Fuzzy Hash: FDE01AB5800245DFEB519FA0D60866DBBB6FB08310F14900AF8CAE7254C77E6901AF54

Function 0102D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0102D86C
GetDC.USER32(00000000), ref: 0102D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0102D882
ReleaseDC.USER32(?), ref: 0102D8A3

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a37d669390a12fe71b903b72c28958e68a3e2b7aa89dce8d1f4c235c03465389
Instruction ID: fcae2cda5d225899da9f5f48fe35a92f983c68ca7d5c7e5a86667d96b07b3a47
Opcode Fuzzy Hash: a37d669390a12fe71b903b72c28958e68a3e2b7aa89dce8d1f4c235c03465389
Instruction Fuzzy Hash: E7E01A71800240DFDB609FA0D50866DBBB5FB08310B149009F98AE7254C73E6901AF54

Function 01044D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD7620: _wcslen.LIBCMT ref: 00FD7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 01044ED4

Strings

LPT, xrefs: 01044DFB
*, xrefs: 01044E10

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 87ada391f0f7a2a4c056f54b6ea18e10725b378558321522899565fe8779b5e1
Instruction ID: 5616581edc966602fbcdb0566b640a3b3d5c3ea00f8f5e3a776f83ca54799d88
Opcode Fuzzy Hash: 87ada391f0f7a2a4c056f54b6ea18e10725b378558321522899565fe8779b5e1
Instruction Fuzzy Hash: D3916FB5A042049FDB15DF58C8C4FAABBF1AF44304F1980A9E84A9F362D735ED85CB91

Function 00FFE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00FFE30D

Strings

pow, xrefs: 00FFE2E5, 00FFE302

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: b3fdecc7554f1b31e655849d335909f8f2fe2003bee11e0426d719eab86f8815
Instruction ID: eb123f7609eb0937f82f34d43529614e7c0b57355d1c84be3f1fc66907d158a2
Opcode Fuzzy Hash: b3fdecc7554f1b31e655849d335909f8f2fe2003bee11e0426d719eab86f8815
Instruction Fuzzy Hash: C8518E72E0920A96EB277718C9043B93FE4EF50750F204969E1D5422FCEF3D9C95AB46

Function 00FEE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00FEE1B1

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 7d52239c26b51028eda69f9041a7b39a50a4795a27a14a204b34d9077f02536d
Instruction ID: d25bc105b9278c3d7049c8d9f6432819f368e46d3b3e3cb50a9023e9f0f7e81d
Opcode Fuzzy Hash: 7d52239c26b51028eda69f9041a7b39a50a4795a27a14a204b34d9077f02536d
Instruction Fuzzy Hash: B4517235A44296DFEF15DF68D4806BA7BA4FF05310F248096E9C19B2D0D6389D42DBA0

Function 00FEF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00FEF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00FEF2BB

Strings

@, xrefs: 00FEF2AF

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 55ff205b0327e81eeb9f2759d8a15bdfbbc92a99b8a981007837a50dfd7b8c4c
Instruction ID: dd2bc054cc419711d43e58a4233070ef7b66e973f004918e62405a23248236ab
Opcode Fuzzy Hash: 55ff205b0327e81eeb9f2759d8a15bdfbbc92a99b8a981007837a50dfd7b8c4c
Instruction Fuzzy Hash: B95156714087459BD320AF10DC86BAFBBF9FF84300F85884EF1D981295EB75852ACB66

Function 01055745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 010557E0
_wcslen.LIBCMT ref: 010557EC

Strings

CALLARGARRAY, xrefs: 010557E6, 010557EB

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 9696d0657edf8c0f97e0aa47a5c0d35b7ebff379919df21571736de382265e9f
Instruction ID: 26722876cb509e44a396774d8830954ad972a3c059852dd96f34638e970614a6
Opcode Fuzzy Hash: 9696d0657edf8c0f97e0aa47a5c0d35b7ebff379919df21571736de382265e9f
Instruction Fuzzy Hash: EA41A131E002099FCB54DFA9CC819BEBBF5FF49320F14406AE985A7292E7759981CB90

Function 0104D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0104D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0104D13A

Strings

|, xrefs: 0104D10B

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 82a7db0aaadb44f7bf56f1df010e16dc1288722efea76e5bc71e7bd05a85fa4b
Instruction ID: 63ddcb89436e35d4cd006622d9d38de9aa026b7b7917e9bbf19840a8647b79f3
Opcode Fuzzy Hash: 82a7db0aaadb44f7bf56f1df010e16dc1288722efea76e5bc71e7bd05a85fa4b
Instruction Fuzzy Hash: F3313D75D00209ABDF15EFE4CC85AEE7FBAFF14300F04006AF915A6266D735AA06DB54

Function 0106356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 01063621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0106365C

Strings

static, xrefs: 010635BC

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: f18c917200093b41fa18a12b9e0841f4df99aeca2f607e5c35f0710c4156794b
Instruction ID: f8814a7a18f730f6ea171e9ce2e29c0aca3109a143ca081fbb2564e117f9cdfa
Opcode Fuzzy Hash: f18c917200093b41fa18a12b9e0841f4df99aeca2f607e5c35f0710c4156794b
Instruction Fuzzy Hash: 18318171100604AAEB109F68DC40EFB73ADFF48714F00961AF9A997250DA35AC81D7A0

Function 01064537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0106461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01064634

Strings

', xrefs: 0106458E

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: d68ee2e9c29d2845298a16d990c57516a536e9b525fbfe8e841a3e7e9281ef5d
Instruction ID: e0801c4a699bed0bf6624d972cfb488d1e9cc74d273aff77eb4c9c67b17ebd72
Opcode Fuzzy Hash: d68ee2e9c29d2845298a16d990c57516a536e9b525fbfe8e841a3e7e9281ef5d
Instruction Fuzzy Hash: AE310674A0120AAFDB54CFA9C980ADA7BF9FF49300F14416AEA45EB342D771A941CF90

Function 010631EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0106327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01063287

Strings

Combobox, xrefs: 01063249

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 792b8c2859d4946412726cc17ad111b7b184f683a9b3a870daf96d84c0ea11d3
Instruction ID: c579cb1e9c2e4b4684cf6e0e0ec6211581c5fd9d8587df9fa0ec8ba587ec35c2
Opcode Fuzzy Hash: 792b8c2859d4946412726cc17ad111b7b184f683a9b3a870daf96d84c0ea11d3
Instruction Fuzzy Hash: 1C11E67130020A7FFF629E58DC80EBB379EFB48364F104125F5989B291D6759C50C7A0

Function 01063710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00FD600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FD604C
Part of subcall function 00FD600E: GetStockObject.GDI32(00000011), ref: 00FD6060
Part of subcall function 00FD600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FD606A

GetWindowRect.USER32(00000000,?), ref: 0106377A
GetSysColor.USER32(00000012), ref: 01063794

Strings

static, xrefs: 01063757

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 57e4ab82a242456c184536177663147bec98f75e4771488733c5a753d8b9d6d0
Instruction ID: ab0ddae9897c3ee72879365b7664d3abaf26280e48eaf7056af3340001df826b
Opcode Fuzzy Hash: 57e4ab82a242456c184536177663147bec98f75e4771488733c5a753d8b9d6d0
Instruction Fuzzy Hash: 70113A72610209AFEF11DFA8CD45EEE7BF8FB08354F004515F995E6250D779E8509B90

Function 0104CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0104CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0104CDA6

Strings

<local>, xrefs: 0104CD66

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: c5aa6b000b87ce6d376617803f54bc63139999bdfb93ff4b1f6c0dfd803b240c
Instruction ID: 78e9e37e246de2ed616550a12d5f843f12cbc563380a6d99c1161c9a2981b378
Opcode Fuzzy Hash: c5aa6b000b87ce6d376617803f54bc63139999bdfb93ff4b1f6c0dfd803b240c
Instruction Fuzzy Hash: 0C1106B12026317BE7786A668D84EE7BEACEF026A4F00422AB1C983080D3759440C6F0

Function 01063429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 010634AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010634BA

Strings

edit, xrefs: 0106348F

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 8e88538d751e03edf3a33c057393ed528c1df47572925ff370f4b9a076ee442c
Instruction ID: 06b7080dae4719a3b0b6a3d17808dcb6dc14b822241334272673d0058fdb69d0
Opcode Fuzzy Hash: 8e88538d751e03edf3a33c057393ed528c1df47572925ff370f4b9a076ee442c
Instruction Fuzzy Hash: 9011B275100104ABEB624E68DC44AEB77AEFF05374F504314F9E89B1D4CB75EC519790

Function 01036C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

CharUpperBuffW.USER32(?,?,?), ref: 01036CB6
_wcslen.LIBCMT ref: 01036CC2

Strings

STOP, xrefs: 01036CBC, 01036CC1

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: c27972536f8ad7846dd25a27fef1bde6b2ce1f27ac26d235ebc3d767077fe182
Instruction ID: 960dcd8978e8cf357e70fd57faf32659b876aa30154f9aeff6403499b792b72a
Opcode Fuzzy Hash: c27972536f8ad7846dd25a27fef1bde6b2ce1f27ac26d235ebc3d767077fe182
Instruction Fuzzy Hash: BC010832E1052A9ACB21AFFDDC448BF77F9EA91614B000565E49296195EA37D640C750

Function 01031BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

Part of subcall function 01033CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01033CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 01031C46

Strings

ListBox, xrefs: 01031C10
ComboBox, xrefs: 01031BE5

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ad77f1ce5a5afa618a62972c14921a686935dd3d90f210694c92ad1792db30a3
Instruction ID: 563697851b7a4acaf70ba6249909281b05f5c56bedeab94490279645a306ec2e
Opcode Fuzzy Hash: ad77f1ce5a5afa618a62972c14921a686935dd3d90f210694c92ad1792db30a3
Instruction Fuzzy Hash: 2C01477171010D66DF04EBE2CE519FF77ED9B56340F04001AB49267281EA74AE0897B1

Function 01031C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

Part of subcall function 01033CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01033CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 01031CC8

Strings

ListBox, xrefs: 01031C94
ComboBox, xrefs: 01031C69

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2c330cc9a0ba6b777744399cfc394ebbdfe437ecd69eaaa4bb615e8260ae1a4b
Instruction ID: d7ef093abf0e493ed38da9c99dc941fef1a1500b4953c4e79ad1c0ba666c9271
Opcode Fuzzy Hash: 2c330cc9a0ba6b777744399cfc394ebbdfe437ecd69eaaa4bb615e8260ae1a4b
Instruction Fuzzy Hash: 2401267171011D67DF04EBE5DE11AFF77ECAB65340F04002AB88267281EA749E08D771

Function 01031D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

Part of subcall function 01033CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01033CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 01031DD3

Strings

ListBox, xrefs: 01031DA0
ComboBox, xrefs: 01031D75

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6fd57bb43b4ee2b12900f0a85e446413e69a419c665ccb29cdd157c07cc1b82a
Instruction ID: bb19a0d1160db926fc4a7bdb5b8313831591d0608686b790aff16cc1552028ca
Opcode Fuzzy Hash: 6fd57bb43b4ee2b12900f0a85e446413e69a419c665ccb29cdd157c07cc1b82a
Instruction Fuzzy Hash: 12F04F30B1022966DB04F7E5DC95AFF77ACAF46340F08080AB8A2672C0EAB4590892A0

Function 0105747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01057493
_wcslen.LIBCMT ref: 010574B9

Strings

3, 3, 16, 1, xrefs: 01057483

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 2bb586554f33403a0af5991ddeab46a70cdd7021613e2800ca60b4497247c158
Instruction ID: c7834f9832c7fe5ae35c83dc12b96ef683d21a08dfcd2429d0f8057c0e3bc97d
Opcode Fuzzy Hash: 2bb586554f33403a0af5991ddeab46a70cdd7021613e2800ca60b4497247c158
Instruction Fuzzy Hash: 2BE0E5023112201093B1127A9CC197F7EC9CFC5650794182EFEC5C2266EF98DD91B3A0

Function 01030B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 01030B23

Strings

AutoIt, xrefs: 01030B17
Error allocating memory., xrefs: 01030B1C

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 93012a3edfc2d08cd4f9114daeb149bca2283529cf8b5701cfe7110e747e4d87
Instruction ID: 6eead795e3612027ea779cc3ef8643bab27495dc083cfdc098e13e687c59f56d
Opcode Fuzzy Hash: 93012a3edfc2d08cd4f9114daeb149bca2283529cf8b5701cfe7110e747e4d87
Instruction Fuzzy Hash: 15E0D83124434C36E32436567D03F897A888F05F20F10442BF7D8995C38ADA245022A9

Function 00FF0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00FEF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00FF0D71,?,?,?,00FD100A), ref: 00FEF7CE

IsDebuggerPresent.KERNEL32(?,?,?,00FD100A), ref: 00FF0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00FD100A), ref: 00FF0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00FF0D7F

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: a70f140f35858573a67155f0e4c1b70fe5bdc0166f821d53d6593278f35603c6
Instruction ID: f55ddc6e0259c8ac388cbdf8b67a97e2262a00fa348e7481cb837b88ed893b51
Opcode Fuzzy Hash: a70f140f35858573a67155f0e4c1b70fe5bdc0166f821d53d6593278f35603c6
Instruction Fuzzy Hash: C1E092742007528BE3309FB9E90875A7BE4AF04B44F04892DE9C6C7756DFBAE4449B91

Function 0102D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0102D220

Strings

%.3d, xrefs: 0102D22B
X64, xrefs: 0102D2A8

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 91d265535195b94fcfe945213ff31ebc3e5145c4d863809d88d0025aaecc6f35
Instruction ID: c2605fdff3a6a12a798048c8cc77502039c16bb4c3b68affc619abf43114d398
Opcode Fuzzy Hash: 91d265535195b94fcfe945213ff31ebc3e5145c4d863809d88d0025aaecc6f35
Instruction Fuzzy Hash: BED01271804129E9DB5096E1CC459BDB37CAB69211F40C452F986D1000D628C90C9B61

Function 01062322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0106232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0106233F

Part of subcall function 0103E97B: Sleep.KERNEL32 ref: 0103E9F3

Strings

Shell_TrayWnd, xrefs: 01062325

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5b64c25f4ae78e2588b92b7cd2d8c77b671507061dc3c6a744c021c29acf0103
Instruction ID: 065754b167a40f88ba17c41289aaddedee89bb37441931858c097f6eabfae5fa
Opcode Fuzzy Hash: 5b64c25f4ae78e2588b92b7cd2d8c77b671507061dc3c6a744c021c29acf0103
Instruction Fuzzy Hash: F0D02232390300B7FA74B330EC0FFCABA08AB04B00F000A06B3C6AA1D4C9F5A800CB04

Function 01062356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0106236C
PostMessageW.USER32(00000000), ref: 01062373

Part of subcall function 0103E97B: Sleep.KERNEL32 ref: 0103E9F3

Strings

Shell_TrayWnd, xrefs: 01062365

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 962dba05881bdfb36587e7609565c75362cecdb4c829e92382bd813e88f8a68e
Instruction ID: fa14ebe6dda5564a093d81f50c0751174b859044498ac8e2ce33a0ff10faeef6
Opcode Fuzzy Hash: 962dba05881bdfb36587e7609565c75362cecdb4c829e92382bd813e88f8a68e
Instruction Fuzzy Hash: 26D0C73139131176F6747671DD0EFC675145754710F004516B6C5991D4D5B568418754

Function 0100BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0100BE93
GetLastError.KERNEL32 ref: 0100BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0100BEFC

Memory Dump Source

Source File: 00000000.00000002.1527818939.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1527805235.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527917456.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527965669.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527982584.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Orden de compra.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: bab199c16eb2a2156af3ee7202441b0a57e9915ce419fae056258cc4f4cc603d
Instruction ID: bc403a280f34f076900621885b3f4e1979b6eca2cabfbe7435821262d6cd359e
Opcode Fuzzy Hash: bab199c16eb2a2156af3ee7202441b0a57e9915ce419fae056258cc4f4cc603d
Instruction Fuzzy Hash: A741B738604646AFFB738F68C844ABA7BE5AF41710F1441ADFAD9971E1DB328901CB60

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Orden de compra.000854657689654253545676785436.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autE17D.tmp

C:\Users\user\AppData\Local\Temp\autE1BD.tmp

C:\Users\user\AppData\Local\Temp\cerecloths

C:\Users\user\AppData\Local\Temp\molecast

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
Orden de compra.000854657689654253545676785436.exe

Function 00FD42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00FD42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 01012BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00FD2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0101065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00FD344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00FD2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00FD3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 01008D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 013025F0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00FD2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 013023B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148
fileCOMMON

Function 01042947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Function 00FD3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre